Edit tour

Windows Analysis Report
Creal.exe

Overview

General Information

Sample name:	Creal.exe
Analysis ID:	1553263
MD5:	017603b860f67f7f65f724e519465926
SHA1:	51b1924ec73969fc16e00c0e80597c07711cf866
SHA256:	1ba7bedaaa3a81350a78cf579e625e879d6d68cef0f7ac8c55cc419798f380e1
Tags:	exeuser-aachum
Infos:

Detection

Creal Stealer

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Creal Stealer

AI detected suspicious sample

Drops PE files to the startup folder

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal communication platform credentials (via file / registry access)

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect virtual machines (SGDT)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Creal.exe (PID: 3964 cmdline: "C:\Users\user\Desktop\Creal.exe" MD5: 017603B860F67F7F65F724E519465926)

Creal.exe (PID: 6572 cmdline: "C:\Users\user\Desktop\Creal.exe" MD5: 017603B860F67F7F65F724E519465926)

cmd.exe (PID: 1352 cmdline: C:\Windows\system32\cmd.exe /c "curl ifconfig.me" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 6504 cmdline: curl ifconfig.me MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

Creal.exe (PID: 6488 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe" MD5: 017603B860F67F7F65F724E519465926)

Creal.exe (PID: 6504 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe" MD5: 017603B860F67F7F65F724E519465926)

cmd.exe (PID: 4332 cmdline: C:\Windows\system32\cmd.exe /c "curl ifconfig.me" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 1396 cmdline: curl ifconfig.me MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cleanup

Malware Configuration

Threatname: Creal Stealer

{"C2 url": "https://discord.com/api/webhooks/1304534397680357396/jwWT3Q8Ovv9Vvgd-RNJrwcYvcpgO5pbMYyd8C4eotXdFUJqgeAOXJwz_fHbLjM5ITcpj"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
00000008.00000003.2240741453.0000019819C93000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
00000008.00000002.3274781930.000001981A390000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
Process Memory Space: Creal.exe PID: 6572	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
Process Memory Space: Creal.exe PID: 6504	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
Click to see the 1 entries

Sigma Signatures

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Creal.exe, ProcessId: 6572, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c "curl ifconfig.me", CommandLine: C:\Windows\system32\cmd.exe /c "curl ifconfig.me", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Creal.exe", ParentImage: C:\Users\user\Desktop\Creal.exe, ParentProcessId: 6572, ParentProcessName: Creal.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "curl ifconfig.me", ProcessId: 1352, ProcessName: cmd.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-10T17:25:13.442135+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.5	49713	TCP
2024-11-10T17:25:52.233923+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.5	49900	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Creal.exe

Avira: detected

Found malware configuration

Source: Creal.exe.6572.2.memstrmin

Malware Configuration Extractor: Creal Stealer {"C2 url": "https://discord.com/api/webhooks/1304534397680357396/jwWT3Q8Ovv9Vvgd-RNJrwcYvcpgO5pbMYyd8C4eotXdFUJqgeAOXJwz_fHbLjM5ITcpj"}

Multi AV Scanner detection for submitted file

Source: Creal.exe

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: geolocation-db.com

Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1492 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D1492
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9312A50 SRP_Calc_u_ex,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,BN_clear_free,BN_clear_free,	2_2_00007FF8A9312A50
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D114F CRYPTO_free,ERR_new,ERR_set_debug,	2_2_00007FF8A92D114F
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1A05 ERR_new,ERR_set_debug,ERR_set_error,ASN1_item_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,_time64,X509_free,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ASN1_item_free,	2_2_00007FF8A92D1A05
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92E4930 CRYPTO_get_ex_new_index,	2_2_00007FF8A92E4930
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1EE2 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,_time64,memcpy,EVP_MD_get0_name,EVP_MD_is_a,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1EE2
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D139D memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,	2_2_00007FF8A92D139D
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D2185 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,	2_2_00007FF8A92D2185
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A931E920 CRYPTO_free,	2_2_00007FF8A931E920
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D204F CRYPTO_free,CRYPTO_malloc,ERR_new,RAND_bytes_ex,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,	2_2_00007FF8A92D204F
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92E4990 i2d_X509_NAME,i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92E4990
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D24EB CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	2_2_00007FF8A92D24EB
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A93289F0 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A93289F0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1893 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_strdup,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1893
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D17DF ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D17DF
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9334C40 ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,	2_2_00007FF8A9334C40
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D4C00 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D4C00
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A931EC70 CRYPTO_free,	2_2_00007FF8A931EC70
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A931EC10 CRYPTO_free,	2_2_00007FF8A931EC10
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9318C80 CRYPTO_free,	2_2_00007FF8A9318C80
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D22D9 CRYPTO_malloc,CONF_parse_list,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D22D9
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9328CA0 CRYPTO_free,CRYPTO_strndup,	2_2_00007FF8A9328CA0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D257C ERR_new,ERR_set_debug,CRYPTO_free,BIO_clear_flags,BIO_set_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_cleanse,	2_2_00007FF8A92D257C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D4B30 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D4B30
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1460 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_snprintf,	2_2_00007FF8A92D1460
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92E6B20 CRYPTO_THREAD_run_once,OPENSSL_sk_find,OPENSSL_sk_value,EVP_CIPHER_fetch,EVP_CIPHER_get_flags,	2_2_00007FF8A92E6B20
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92FEB10 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	2_2_00007FF8A92FEB10
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1A0F ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get0_cipher,EVP_CIPHER_get_flags,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,EVP_MD_get_size,CRYPTO_memcmp,ERR_set_mark,ERR_clear_last_mark,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_pop_to_mark,ERR_clear_last_mark,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_get0_md,CRYPTO_memcmp,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,strncmp,strncmp,strncmp,strncmp,strncmp,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1A0F
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92EEB48 CRYPTO_free,	2_2_00007FF8A92EEB48
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1AB4 CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1AB4
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92EEDC1 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,	2_2_00007FF8A92EEDC1
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D236A CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D236A
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1B54 memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,memcmp,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,	2_2_00007FF8A92D1B54
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92DCEA0 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,	2_2_00007FF8A92DCEA0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D117C _time64,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	2_2_00007FF8A92D117C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9342EE0 CRYPTO_memcmp,	2_2_00007FF8A9342EE0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9318E90 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	2_2_00007FF8A9318E90
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D17E9 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,ERR_new,CRYPTO_memdup,ERR_new,ERR_new,ERR_new,ERR_set_debug,	2_2_00007FF8A92D17E9
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92ECD30 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,EVP_MD_get0_provider,EVP_MD_free,EVP_MD_get0_provider,EVP_MD_free,EVP_CIPHER_get0_provider,EVP_CIPHER_free,EVP_MD_get0_provider,EVP_MD_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92ECD30
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D136B ERR_new,ERR_set_debug,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,ERR_new,ERR_set_debug,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D136B
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9318D40 OPENSSL_cleanse,CRYPTO_free,	2_2_00007FF8A9318D40
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1CBC EVP_MD_get_size,ERR_new,ERR_set_debug,RAND_bytes_ex,ERR_new,ERR_set_debug,_time64,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1CBC
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1771 CRYPTO_free,	2_2_00007FF8A92D1771
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1811 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	2_2_00007FF8A92D1811
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D222F ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,	2_2_00007FF8A92D222F
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92EEDC1 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,	2_2_00007FF8A92EEDC1
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9335070 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A9335070
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A934B070 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A934B070
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92FF070 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,_time64,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,ERR_new,ERR_set_debug,memcpy,	2_2_00007FF8A92FF070
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D2117 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,	2_2_00007FF8A92D2117
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D21DF CRYPTO_memcmp,	2_2_00007FF8A92D21DF
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D2374 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D2374
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92F9080 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	2_2_00007FF8A92F9080
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A93050D8 EVP_MAC_CTX_free,CRYPTO_free,	2_2_00007FF8A93050D8
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A93130A0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	2_2_00007FF8A93130A0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D14CE CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	2_2_00007FF8A92D14CE
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D2144 EVP_CIPHER_get_mode,EVP_CIPHER_get_mode,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_malloc,ERR_new,ERR_set_debug,	2_2_00007FF8A92D2144
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D4FD0 CRYPTO_free,	2_2_00007FF8A92D4FD0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D20E5 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D20E5
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1389 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D1389
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A931E200 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A931E200
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D19DD BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A92D19DD
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D4100 CRYPTO_free,	2_2_00007FF8A92D4100
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1F55 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FF8A92D1F55
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D15E6 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,memcpy,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D15E6
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A931E190 CRYPTO_free,	2_2_00007FF8A931E190
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92EE427 CRYPTO_THREAD_write_lock,	2_2_00007FF8A92EE427
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92F2410 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_dup,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_new_ex_data,	2_2_00007FF8A92F2410
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D23DD EVP_MD_get_size,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_clear_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	2_2_00007FF8A92D23DD
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1AC3 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,	2_2_00007FF8A92D1AC3
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D198D CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FF8A92D198D
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D26E4 BIO_s_file,BIO_new,ERR_new,ERR_set_debug,BIO_ctrl,ERR_new,ERR_set_debug,strncmp,ERR_new,ERR_set_debug,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,	2_2_00007FF8A92D26E4
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9304490 CRYPTO_realloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A9304490
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1ACD ERR_new,ERR_set_debug,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,memcpy,ERR_new,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D1ACD
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D18B6 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D18B6
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1B31 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1B31
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D4300 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D4300
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92E2360 CRYPTO_THREAD_run_once,	2_2_00007FF8A92E2360
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9330330 CRYPTO_free,CRYPTO_strndup,	2_2_00007FF8A9330330
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A93343C0 EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,CRYPTO_malloc,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,	2_2_00007FF8A93343C0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A933A3D0 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A933A3D0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9328390 CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A9328390
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1D93 EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,CRYPTO_zalloc,EVP_MAC_CTX_free,EVP_MAC_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_fetch,EVP_MAC_CTX_new,EVP_MAC_free,EVP_CIPHER_CTX_new,EVP_CIPHER_fetch,OSSL_PARAM_construct_utf8_string,OSSL_PARAM_construct_end,EVP_MAC_init,EVP_DecryptInit_ex,EVP_CIPHER_free,EVP_CIPHER_free,EVP_CIPHER_free,EVP_MAC_CTX_get_mac_size,EVP_CIPHER_CTX_get_iv_length,EVP_MAC_final,CRYPTO_memcmp,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MAC_CTX_free,CRYPTO_free,	2_2_00007FF8A92D1D93
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D24CD CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,	2_2_00007FF8A92D24CD
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9336650 EVP_CIPHER_CTX_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,	2_2_00007FF8A9336650
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D13D9 OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_pop_free,	2_2_00007FF8A92D13D9
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9314660 CRYPTO_malloc,memset,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,	2_2_00007FF8A9314660
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D162C EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_DigestSignUpdate,EVP_DigestSignFinal,CRYPTO_malloc,EVP_DigestSignFinal,ERR_new,ERR_new,EVP_DigestSign,ERR_new,CRYPTO_malloc,EVP_DigestSign,BUF_reverse,ERR_new,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_MD_CTX_free,	2_2_00007FF8A92D162C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1212 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	2_2_00007FF8A92D1212
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9328620 CRYPTO_memcmp,	2_2_00007FF8A9328620
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92EA6D0 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,	2_2_00007FF8A92EA6D0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A93126B0 ERR_new,ERR_set_debug,BN_num_bits,CRYPTO_malloc,ERR_new,ERR_set_debug,BN_bn2bin,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,CRYPTO_clear_free,ERR_new,ERR_set_debug,BN_clear_free,BN_clear_free,BN_clear_free,	2_2_00007FF8A93126B0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92E4530 OPENSSL_sk_num,X509_STORE_CTX_new_ex,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_STORE_CTX_init,ERR_new,ERR_set_debug,ERR_set_error,X509_STORE_CTX_free,X509_STORE_CTX_set_flags,CRYPTO_THREAD_run_once,X509_STORE_CTX_set_ex_data,OPENSSL_sk_num,X509_STORE_CTX_set0_dane,X509_STORE_CTX_set_default,X509_VERIFY_PARAM_set1,X509_STORE_CTX_set_verify_cb,X509_verify_cert,X509_STORE_CTX_get_error,OPENSSL_sk_pop_free,X509_STORE_CTX_get0_chain,X509_STORE_CTX_get1_chain,ERR_new,ERR_set_debug,ERR_set_error,X509_VERIFY_PARAM_move_peername,X509_STORE_CTX_free,	2_2_00007FF8A92E4530
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9346550 CRYPTO_memcmp,	2_2_00007FF8A9346550
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D85A0 CRYPTO_zalloc,CRYPTO_free,	2_2_00007FF8A92D85A0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1488 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D1488
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92F05E0 X509_VERIFY_PARAM_free,CRYPTO_free_ex_data,BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FF8A92F05E0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D2423 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D2423
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9334860 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,	2_2_00007FF8A9334860
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9348870 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,ERR_new,ERR_set_debug,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A9348870
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1F3C CRYPTO_malloc,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1F3C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A931E8C0 CRYPTO_free,	2_2_00007FF8A931E8C0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A933C8E0 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A933C8E0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A934A8F0 EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_clear_error,ASN1_item_d2i,ASN1_TYPE_get,ERR_new,ERR_set_debug,EVP_PKEY_decrypt,ERR_new,EVP_PKEY_CTX_ctrl,ERR_new,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,ASN1_item_free,	2_2_00007FF8A934A8F0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D26B2 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A92D26B2
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D16A4 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D16A4
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D120D EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,	2_2_00007FF8A92D120D
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D103C CRYPTO_malloc,COMP_expand_block,	2_2_00007FF8A92D103C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A931E700 CRYPTO_free,	2_2_00007FF8A931E700
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D25F4 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_clear_free,	2_2_00007FF8A92D25F4
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A931E781 CRYPTO_free,CRYPTO_free,	2_2_00007FF8A931E781
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1CA3 CRYPTO_strdup,CRYPTO_free,	2_2_00007FF8A92D1CA3
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1F28 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A92D1F28
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1401 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D1401
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1A15 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FF8A92D1A15
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9319A60 ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_set_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_MD_CTX_get0_md,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,	2_2_00007FF8A9319A60
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9333A60 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,	2_2_00007FF8A9333A60
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9313A00 CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A9313A00
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92E7A60 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_malloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,strncmp,CRYPTO_free,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_delete,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free,	2_2_00007FF8A92E7A60
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A933BA20 CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A933BA20
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92FFAF0 CRYPTO_malloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,	2_2_00007FF8A92FFAF0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92DF910 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,CRYPTO_malloc,EVP_PKEY_encapsulate,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_free,EVP_PKEY_CTX_free,	2_2_00007FF8A92DF910
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9321970 ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,	2_2_00007FF8A9321970
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A934B900 BN_bin2bn,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A934B900
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1E6A ERR_new,ERR_set_debug,CRYPTO_clear_free,	2_2_00007FF8A92D1E6A
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D11DB EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FF8A92D11DB
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1A41 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1A41
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A931D980 RAND_bytes_ex,CRYPTO_malloc,memset,	2_2_00007FF8A931D980
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D105F ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_clear_free,	2_2_00007FF8A92D105F
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D19E7 CRYPTO_free,	2_2_00007FF8A92D19E7
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1483 CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1483
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1582 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	2_2_00007FF8A92D1582
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92E5CB0 COMP_zlib,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort,	2_2_00007FF8A92E5CB0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D5C9B CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_set_init,BIO_set_data,BIO_clear_flags,	2_2_00007FF8A92D5C9B
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D2595 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	2_2_00007FF8A92D2595
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D23F1 CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D23F1
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92E3CC0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	2_2_00007FF8A92E3CC0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A934BB70 OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,OPENSSL_sk_push,OPENSSL_sk_num,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_pop_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_value,X509_get0_pubkey,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_shift,OPENSSL_sk_pop_free,ERR_new,ERR_set_debug,	2_2_00007FF8A934BB70
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A931FB00 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,	2_2_00007FF8A931FB00
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92E5BB0 OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort,	2_2_00007FF8A92E5BB0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92FDBA0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,_time64,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FF8A92FDBA0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92F5B90 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92F5B90
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D155A ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,	2_2_00007FF8A92D155A
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9331B9F CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,	2_2_00007FF8A9331B9F
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92F5E10 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92F5E10
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D25DB CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,	2_2_00007FF8A92D25DB
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D150F OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_value,X509_VERIFY_PARAM_get_depth,CRYPTO_dup_ex_data,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,	2_2_00007FF8A92D150F
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D2720 CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A92D2720
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D2310 ERR_new,ERR_set_debug,_time64,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_new,EVP_MD_fetch,ERR_new,ERR_new,ERR_set_debug,EVP_MD_free,EVP_MD_get_size,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_free,CRYPTO_free,	2_2_00007FF8A92D2310
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D108C ERR_new,ERR_set_debug,CRYPTO_free,	2_2_00007FF8A92D108C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A933BE20 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A933BE20
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D3EB0 CRYPTO_free,	2_2_00007FF8A92D3EB0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D107D CRYPTO_free,	2_2_00007FF8A92D107D
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D5EE0 BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,	2_2_00007FF8A92D5EE0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D2680 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FF8A92D2680
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1CEE CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,	2_2_00007FF8A92D1CEE
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92F5D20 CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92F5D20
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9333D20 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,	2_2_00007FF8A9333D20
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1D89 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A92D1D89
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92F6030 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,d2i_X509,X509_get0_pubkey,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_free,OPENSSL_sk_new_null,OPENSSL_sk_push,ERR_new,ERR_set_debug,ERR_set_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92F6030
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D202C CRYPTO_free,	2_2_00007FF8A92D202C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D23EC CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A92D23EC
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92DE0AD ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,	2_2_00007FF8A92DE0AD
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A93280C0 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A93280C0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92F20A0 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,	2_2_00007FF8A92F20A0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92EC080 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A92EC080
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1361 CRYPTO_malloc,EVP_PKEY_set_type,EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_CTX_free,ERR_pop_to_mark,CRYPTO_free,EVP_PKEY_free,	2_2_00007FF8A92D1361
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D2527 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D2527
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A93300A0 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A93300A0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92EBF30 CRYPTO_memcmp,	2_2_00007FF8A92EBF30
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A933DF40 CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,	2_2_00007FF8A933DF40
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92E5F20 CRYPTO_THREAD_run_once,	2_2_00007FF8A92E5F20
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1B18 ERR_new,ERR_set_debug,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_new,ERR_set_debug,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,CRYPTO_memcmp,ERR_new,ERR_new,	2_2_00007FF8A92D1B18
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1C53 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	2_2_00007FF8A92D1C53
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9333F30 ERR_new,ERR_set_debug,X509_get0_pubkey,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,CRYPTO_malloc,EVP_PKEY_encrypt_init,RAND_bytes_ex,EVP_MD_CTX_new,EVP_DigestInit,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,EVP_PKEY_CTX_ctrl,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,	2_2_00007FF8A9333F30
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92DDFB5 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92DDFB5
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1019 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1019
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92DD227 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92DD227
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1F8C CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1F8C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9343260 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A9343260
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1262 X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,	2_2_00007FF8A92D1262
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1B90 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	2_2_00007FF8A92D1B90
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9337230 CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,	2_2_00007FF8A9337230
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D195B CRYPTO_zalloc,EVP_MAC_free,EVP_MAC_CTX_free,CRYPTO_free,	2_2_00007FF8A92D195B
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1A32 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1A32
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A93092E0 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A93092E0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D11A9 EVP_MAC_CTX_free,CRYPTO_free,	2_2_00007FF8A92D11A9
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9331170 ERR_new,ERR_set_debug,CRYPTO_clear_free,	2_2_00007FF8A9331170
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92FD170 CRYPTO_THREAD_write_lock,OPENSSL_sk_new_null,OPENSSL_LH_delete,OPENSSL_sk_push,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,OPENSSL_sk_pop_free,	2_2_00007FF8A92FD170
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92DF160 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A92DF160
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9319120 CRYPTO_malloc,ERR_new,ERR_set_debug,	2_2_00007FF8A9319120
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1A23 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	2_2_00007FF8A92D1A23
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1997 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_decapsulate,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,	2_2_00007FF8A92D1997
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D2126 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D2126
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1444 EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,	2_2_00007FF8A92D1444
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A934B430 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,EVP_PKEY_CTX_set_rsa_padding,OSSL_PARAM_construct_uint,OSSL_PARAM_construct_end,EVP_PKEY_CTX_set_params,EVP_PKEY_decrypt,OPENSSL_cleanse,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_CTX_free,	2_2_00007FF8A934B430
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1EDD CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_find,CRYPTO_free,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D1EDD
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A93214E0 CRYPTO_memcmp,	2_2_00007FF8A93214E0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1393 OSSL_PROVIDER_do_all,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,	2_2_00007FF8A92D1393
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1992 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,OPENSSL_LH_new,X509_STORE_new,CTLOG_STORE_new_ex,OPENSSL_sk_num,X509_VERIFY_PARAM_new,OPENSSL_sk_new_null,OPENSSL_sk_new_null,CRYPTO_new_ex_data,CRYPTO_secure_zalloc,RAND_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,ERR_new,ERR_set_debug,	2_2_00007FF8A92D1992
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9343480 CRYPTO_free,CRYPTO_strndup,	2_2_00007FF8A9343480
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D111D CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,ERR_new,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,	2_2_00007FF8A92D111D
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92DB300 CRYPTO_clear_free,	2_2_00007FF8A92DB300
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1677 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	2_2_00007FF8A92D1677
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D17F8 EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key_ex,EVP_DigestSignInit_ex,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D17F8
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92DD3CA CRYPTO_free,	2_2_00007FF8A92DD3CA
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92E1620 CRYPTO_free,CRYPTO_strndup,	2_2_00007FF8A92E1620
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9343650 CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_fetch,EVP_CIPHER_get_iv_length,RAND_bytes_ex,EVP_CIPHER_free,EVP_EncryptUpdate,EVP_EncryptFinal,ERR_new,ERR_new,CRYPTO_free,EVP_CIPHER_CTX_free,ERR_new,ERR_new,ERR_set_debug,EVP_CIPHER_CTX_get_iv_length,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_CIPHER_CTX_free,	2_2_00007FF8A9343650
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A933B660 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	2_2_00007FF8A933B660
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D110E EVP_PKEY_free,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,ERR_new,CRYPTO_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,	2_2_00007FF8A92D110E
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92DF650 EVP_PKEY_CTX_new_from_pkey,EVP_PKEY_derive_set_peer,EVP_PKEY_is_a,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_derive,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,ERR_new,ERR_set_debug,	2_2_00007FF8A92DF650
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D12CB CRYPTO_THREAD_run_once,	2_2_00007FF8A92D12CB
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A93156D0 CRYPTO_free,	2_2_00007FF8A93156D0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92FD510 CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,	2_2_00007FF8A92FD510
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9327570 CRYPTO_realloc,	2_2_00007FF8A9327570
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D193D CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,	2_2_00007FF8A92D193D
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D21E9 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,	2_2_00007FF8A92D21E9
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D2469 CRYPTO_memcmp,ERR_new,ERR_set_debug,memchr,ERR_new,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D2469
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1181 CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D1181
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D2379 CRYPTO_free,	2_2_00007FF8A92D2379
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D20F4 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D20F4
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1087 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,	2_2_00007FF8A92D1087
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A93457FE CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A93457FE
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92E9870 CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A92E9870
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92E7840 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	2_2_00007FF8A92E7840
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D589C BIO_get_data,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_set_init,BIO_clear_flags,BIO_get_data,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,	2_2_00007FF8A92D589C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D13DE EVP_MD_CTX_new,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_security_bits,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,EVP_PKEY_get_bn_param,EVP_PKEY_get_bn_param,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_get0_name,EVP_DigestSignInit_ex,ERR_new,ERR_set_debug,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,ERR_set_debug,EVP_DigestSign,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_free,BN_free,BN_free,BN_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	2_2_00007FF8A92D13DE
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1654 EVP_MD_CTX_new,ERR_new,ERR_set_debug,X509_get0_pubkey,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get_id,EVP_PKEY_get_id,EVP_PKEY_get_id,ERR_new,EVP_MD_get0_name,EVP_DigestVerifyInit_ex,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,BUF_reverse,EVP_PKEY_CTX_set_rsa_padding,EVP_PKEY_CTX_set_rsa_pss_saltlen,ERR_new,EVP_MD_CTX_ctrl,ERR_new,ERR_set_debug,ERR_new,EVP_DigestVerify,ERR_new,ERR_new,ERR_new,ERR_set_debug,BIO_free,EVP_MD_CTX_free,CRYPTO_free,	2_2_00007FF8A92D1654
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A93038C0 CRYPTO_malloc,CRYPTO_realloc,ERR_new,ERR_set_debug,ERR_set_error,memset,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,ERR_set_debug,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,CRYPTO_strdup,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,OSSL_PARAM_locate_const,OSSL_PARAM_get_uint,ERR_new,OSSL_PARAM_locate_const,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,OSSL_PARAM_locate_const,OSSL_PARAM_get_int,ERR_set_mark,EVP_KEYMGMT_free,ERR_pop_to_mark,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A93038C0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1023 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D1023
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9321750 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A9321750
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D11BD CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A92D11BD
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A93277A0 CRYPTO_malloc,CRYPTO_malloc,	2_2_00007FF8A93277A0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8B7E053DC ASN1_STRING_type,ASN1_STRING_length,ASN1_STRING_get0_data,Py_BuildValue,ASN1_STRING_to_UTF8,_Py_Dealloc,Py_BuildValue,CRYPTO_free,	2_2_00007FF8B7E053DC
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8B7E05124 i2d_X509,PyBytes_FromStringAndSize,CRYPTO_free,	2_2_00007FF8B7E05124
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8351970 ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,	8_2_00007FF8B8351970
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B837B900 BN_bin2bn,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FF8B837B900
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B830F910 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,CRYPTO_malloc,EVP_PKEY_encapsulate,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_free,EVP_PKEY_CTX_free,	8_2_00007FF8B830F910
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8301E6A ERR_new,ERR_set_debug,CRYPTO_clear_free,	8_2_00007FF8B8301E6A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8301A41 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,memcmp,ERR_new,ERR_set_debug,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FF8B8301A41
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B834D980 RAND_bytes_ex,CRYPTO_malloc,memset,	8_2_00007FF8B834D980
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B830105F ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,CRYPTO_clear_free,	8_2_00007FF8B830105F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B83011DB EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	8_2_00007FF8B83011DB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8301A15 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	8_2_00007FF8B8301A15
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8317A60 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_malloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,strncmp,CRYPTO_free,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_delete,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free,	8_2_00007FF8B8317A60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8349A60 ERR_new,ERR_set_debug,EVP_MD_CTX_get0_md,EVP_MD_get_size,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_set_mark,ERR_pop_to_mark,ERR_new,ERR_set_debug,ERR_clear_last_mark,EVP_MD_CTX_get0_md,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,	8_2_00007FF8B8349A60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8363A60 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,	8_2_00007FF8B8363A60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8343A00 CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,CRYPTO_free,CRYPTO_free,	8_2_00007FF8B8343A00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B836BA20 CRYPTO_free,CRYPTO_free,CRYPTO_free,	8_2_00007FF8B836BA20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B832FAF0 CRYPTO_malloc,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,	8_2_00007FF8B832FAF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B837BB70 OPENSSL_sk_new_null,ERR_new,ERR_set_debug,X509_new_ex,d2i_X509,CRYPTO_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,OPENSSL_sk_push,OPENSSL_sk_num,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_pop_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,OPENSSL_sk_value,X509_get0_pubkey,ERR_new,ERR_set_debug,X509_free,OPENSSL_sk_shift,OPENSSL_sk_pop_free,ERR_new,ERR_set_debug,	8_2_00007FF8B837BB70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B834FB00 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,	8_2_00007FF8B834FB00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B830155A ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,EVP_PKEY_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,	8_2_00007FF8B830155A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8325B90 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,	8_2_00007FF8B8325B90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8361B9F CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,	8_2_00007FF8B8361B9F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B832DBA0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,_time64,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,	8_2_00007FF8B832DBA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8315BB0 OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort,	8_2_00007FF8B8315BB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B83019E7 CRYPTO_free,	8_2_00007FF8B83019E7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8301483 CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FF8B8301483
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8301582 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	8_2_00007FF8B8301582
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8313CC0 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	8_2_00007FF8B8313CC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B83023F1 CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,	8_2_00007FF8B83023F1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8305C9B CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,BIO_set_init,BIO_set_data,BIO_clear_flags,	8_2_00007FF8B8305C9B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8302595 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	8_2_00007FF8B8302595
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8315CB0 COMP_zlib,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_sort,	8_2_00007FF8B8315CB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8301CEE CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,	8_2_00007FF8B8301CEE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8325D20 CRYPTO_free,CRYPTO_free,	8_2_00007FF8B8325D20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8363D20 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_PKEY_get1_encoded_public_key,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_free,	8_2_00007FF8B8363D20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8301D89 CRYPTO_free,CRYPTO_memdup,	8_2_00007FF8B8301D89
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B831CD30 CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,EVP_MD_get0_provider,EVP_MD_free,EVP_MD_get0_provider,EVP_MD_free,EVP_CIPHER_get0_provider,EVP_CIPHER_free,EVP_MD_get0_provider,EVP_MD_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_free,	8_2_00007FF8B831CD30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B830136B ERR_new,ERR_set_debug,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,ERR_new,ERR_set_debug,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FF8B830136B
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B831EDC1 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,	8_2_00007FF8B831EDC1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8301771 CRYPTO_free,	8_2_00007FF8B8301771
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8301811 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	8_2_00007FF8B8301811
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B830222F ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_clear_free,	8_2_00007FF8B830222F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B830236A CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,CRYPTO_free,	8_2_00007FF8B830236A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B831EDC1 ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,	8_2_00007FF8B831EDC1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8301B54 memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,memcmp,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,	8_2_00007FF8B8301B54
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8372EE0 CRYPTO_memcmp,	8_2_00007FF8B8372EE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B830117C _time64,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	8_2_00007FF8B830117C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8348E90 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	8_2_00007FF8B8348E90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B830CEA0 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,	8_2_00007FF8B830CEA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B83017E9 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcmp,ERR_new,CRYPTO_memdup,ERR_new,ERR_new,ERR_new,ERR_set_debug,	8_2_00007FF8B83017E9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8302144 EVP_CIPHER_get_mode,EVP_CIPHER_get_mode,EVP_CIPHER_get_iv_length,EVP_CIPHER_get_key_length,CRYPTO_malloc,ERR_new,ERR_set_debug,	8_2_00007FF8B8302144
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8304FD0 CRYPTO_free,	8_2_00007FF8B8304FD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B83020E5 CRYPTO_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FF8B83020E5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8302117 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,	8_2_00007FF8B8302117
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B832F070 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,_time64,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,ERR_new,ERR_set_debug,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,ERR_new,ERR_set_debug,memcpy,	8_2_00007FF8B832F070
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8365070 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FF8B8365070
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B837B070 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FF8B837B070
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8302374 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FF8B8302374
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B83350D8 EVP_MAC_CTX_free,CRYPTO_free,	8_2_00007FF8B83350D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8329080 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	8_2_00007FF8B8329080
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B83430A0 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	8_2_00007FF8B83430A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B83014CE CRYPTO_free,CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,ERR_new,ERR_new,ERR_set_debug,	8_2_00007FF8B83014CE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B83021DF CRYPTO_memcmp,	8_2_00007FF8B83021DF
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B83019DD BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,CRYPTO_free,CRYPTO_strdup,	8_2_00007FF8B83019DD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B83015E6 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,CRYPTO_free,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,memcpy,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,	8_2_00007FF8B83015E6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8304100 CRYPTO_free,	8_2_00007FF8B8304100
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8301F55 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	8_2_00007FF8B8301F55
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B834E190 CRYPTO_free,	8_2_00007FF8B834E190
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8301389 CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,	8_2_00007FF8B8301389
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B834E200 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,CRYPTO_free,ERR_new,ERR_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	8_2_00007FF8B834E200

Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt			Jump to behavior

Source: Creal.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Creal.exe, 00000002.00000002.3276941699.00007FF8A8257000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: Creal.exe, 00000002.00000002.3278024317.00007FF8A882A000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: Creal.exe, 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb(('GCTL source: Creal.exe, 00000000.00000003.2013698188.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3288809045.00007FF8BA4F4000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: Creal.exe, 00000000.00000003.2013105492.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210597001.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Creal.exe, 00000000.00000003.2011920912.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3288624877.00007FF8BA254000.00000002.00000001.01000000.00000005.sdmp, Creal.exe, 00000007.00000003.2208617865.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3288854433.00007FF8BFBA4000.00000002.00000001.01000000.0000002D.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: Creal.exe, 00000002.00000002.3278024317.00007FF8A8792000.00000002.00000001.01000000.00000010.sdmp, Creal.exe, 00000008.00000002.3277713279.00007FF8A74A2000.00000002.00000001.01000000.00000038.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Creal.exe, 00000000.00000003.2011920912.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3288624877.00007FF8BA254000.00000002.00000001.01000000.00000005.sdmp, Creal.exe, 00000007.00000003.2208617865.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3288854433.00007FF8BFBA4000.00000002.00000001.01000000.0000002D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: Creal.exe, 00000002.00000002.3277331741.00007FF8A8394000.00000002.00000001.01000000.00000016.sdmp, Creal.exe, 00000008.00000002.3278284280.00007FF8A7B14000.00000002.00000001.01000000.0000003E.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: Creal.exe, 00000002.00000002.3278024317.00007FF8A882A000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: Creal.exe, 00000000.00000003.2013034623.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210469463.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Creal.exe, 00000000.00000003.2012043835.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3288413452.00007FF8B9845000.00000002.00000001.01000000.0000000C.sdmp, Creal.exe, 00000007.00000003.2208832150.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3287591621.00007FF8B9175000.00000002.00000001.01000000.00000034.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: Creal.exe, 00000002.00000002.3286869454.00007FF8B8AF3000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: Creal.exe, 00000002.00000002.3287970612.00007FF8B8F83000.00000002.00000001.01000000.00000007.sdmp, Creal.exe, 00000008.00000002.3288648125.00007FF8BFB73000.00000002.00000001.01000000.0000002F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Creal.exe, 00000000.00000003.2012825671.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3287550512.00007FF8B8C16000.00000002.00000001.01000000.0000000F.sdmp, Creal.exe, 00000007.00000003.2210152197.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3286949600.00007FF8B9116000.00000002.00000001.01000000.00000037.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: Creal.exe, 00000000.00000003.2012922537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3287313269.00007FF8B8B3B000.00000002.00000001.01000000.0000000A.sdmp, Creal.exe, 00000007.00000003.2210291653.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: Creal.exe, 00000000.00000003.2012139537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2208996602.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: Creal.exe, 00000000.00000003.2013623021.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3286647711.00007FF8B8833000.00000002.00000001.01000000.00000017.sdmp, Creal.exe, 00000008.00000002.3286329041.00007FF8B90D3000.00000002.00000001.01000000.0000003F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: Creal.exe, 00000002.00000002.3286119813.00007FF8B7E52000.00000002.00000001.01000000.0000000D.sdmp, Creal.exe, 00000008.00000002.3287382761.00007FF8B9152000.00000002.00000001.01000000.00000035.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Creal.exe, 00000000.00000003.2013183257.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3287755549.00007FF8B8CB3000.00000002.00000001.01000000.0000000E.sdmp, Creal.exe, 00000007.00000003.2210730627.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Creal.exe, 00000000.00000003.2012922537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3287313269.00007FF8B8B3B000.00000002.00000001.01000000.0000000A.sdmp, Creal.exe, 00000007.00000003.2210291653.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Creal.exe, 00000000.00000003.2012254745.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3288184798.00007FF8B93CD000.00000002.00000001.01000000.00000009.sdmp, Creal.exe, 00000007.00000003.2209177620.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: Creal.exe, 00000000.00000003.2013698188.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3288809045.00007FF8BA4F4000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Creal.exe, 00000000.00000003.2013254429.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3287078699.00007FF8B8B09000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: Creal.exe, 00000002.00000002.3284976163.00007FF8B7DEF000.00000002.00000001.01000000.00000015.sdmp, Creal.exe, 00000008.00000002.3284231215.00007FF8B82EF000.00000002.00000001.01000000.0000003D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: Creal.exe, 00000002.00000002.3271977344.000002710B860000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: Creal.exe, 00000002.00000002.3278699143.00007FF8A8CF8000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Creal.exe, 00000000.00000003.2012043835.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3288413452.00007FF8B9845000.00000002.00000001.01000000.0000000C.sdmp, Creal.exe, 00000007.00000003.2208832150.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3287591621.00007FF8B9175000.00000002.00000001.01000000.00000034.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: Creal.exe, 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: Creal.exe, 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmp, Creal.exe, 00000008.00000002.3285616880.00007FF8B83DE000.00000002.00000001.01000000.0000003B.sdmp

Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A809280 FindFirstFileExW,FindClose,	0_2_00007FF77A809280
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A8083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF77A8083C0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A821874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF77A821874
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A809280 FindFirstFileExW,FindClose,	2_2_00007FF77A809280
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A8083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF77A8083C0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A821874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF77A821874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11C9280 FindFirstFileExW,FindClose,	7_2_00007FF6A11C9280
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11C83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_00007FF6A11C83C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11E1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	7_2_00007FF6A11E1874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11C9280 FindFirstFileExW,FindClose,	8_2_00007FF6A11C9280
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11C83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00007FF6A11C83C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11E1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_00007FF6A11E1874

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior

Source: Joe Sandbox View	IP Address: 45.112.123.126 45.112.123.126
Source: Joe Sandbox View	IP Address: 34.160.111.145 34.160.111.145
Source: Joe Sandbox View	IP Address: 34.160.111.145 34.160.111.145
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: unknown	DNS query: name: ifconfig.me
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:49713
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:49900

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ifconfig.meUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ifconfig.meUser-Agent: curl/7.83.1Accept: /

Source: global traffic	DNS traffic detected: DNS query: ifconfig.me
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: api.gofile.io
Source: global traffic	DNS traffic detected: DNS query: geolocation-db.com

Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2077624829.000002710E7E4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273533573.000002710DD19000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3274326927.000002710DED9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3275182087.000002710E769000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2077173911.000002710E7E3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274878907.000001981A59F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819B53000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: Creal.exe, 00000000.00000003.2012139537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013364917.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013623021.00000254DA85F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211018983.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2208996602.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2209018766.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211395228.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.dig
Source: Creal.exe, 00000007.00000003.2211018983.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2208996602.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2209018766.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211395228.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digY
Source: Creal.exe, 00000000.00000003.2013500639.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000002.3271862160.00000254DA85F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211228015.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000002.3272065183.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: Creal.exe, 00000007.00000003.2211228015.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digiY
Source: Creal.exe, 00000000.00000003.2013500639.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012254745.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013183257.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013105492.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012139537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012690992.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013698188.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013364917.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012538251.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013034623.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012825671.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012922537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013254429.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013623021.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2218540742.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211228015.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2219081964.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210597001.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211504439.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210129930.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2218889031.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Creal.exe, 00000000.00000003.2013500639.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012254745.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013183257.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013105492.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012139537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012690992.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013698188.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013364917.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012538251.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013034623.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012825671.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012922537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013254429.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013623021.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211228015.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2219081964.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210597001.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211504439.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210129930.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2218889031.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210469463.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Creal.exe, 00000000.00000003.2013500639.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012254745.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013183257.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013105492.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012139537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012690992.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013698188.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013364917.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012538251.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013034623.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012825671.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012922537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013254429.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013623021.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211228015.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2219081964.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211504439.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2218889031.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210291653.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2218359211.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210730627.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Creal.exe, 00000000.00000003.2013500639.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012254745.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013183257.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013105492.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012139537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012690992.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013698188.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013364917.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013623021.00000254DA85F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012538251.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013034623.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012825671.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012922537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013254429.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000002.3271862160.00000254DA85F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013623021.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2218540742.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211228015.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2219081964.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210597001.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211228015.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2038521530.000002710D82A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273070510.000002710D81F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253525634.0000019819A35000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819A30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819990000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2240741453.0000019819A36000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253265305.0000019819A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: Creal.exe, 00000002.00000003.2038462297.000002710DCCF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2038752381.000002710DCBB000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273070510.000002710D81F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2038462297.000002710DC77000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2239361588.0000019819737000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2241391582.0000019819737000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2239166710.0000019819A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: Creal.exe, 00000002.00000002.3274326927.000002710DF8E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3275024704.000002710E6FA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274131424.0000019819D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273070510.000002710D6D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3272835079.00000198192B7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273072089.0000019819590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Creal.exe, 00000002.00000002.3273533573.000002710DC00000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819B53000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274131424.0000019819D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: Creal.exe, 00000008.00000002.3273426350.0000019819B53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crlS
Source: Creal.exe, 00000002.00000002.3274326927.000002710DF8E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3275024704.000002710E6FA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274131424.0000019819D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: Creal.exe, 00000002.00000002.3275024704.000002710E6FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl=_
Source: Creal.exe, 00000008.00000002.3274131424.0000019819D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crli
Source: Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274131424.0000019819D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274131424.0000019819D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crlN
Source: Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274131424.0000019819D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273072089.0000019819590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: Creal.exe, 00000000.00000003.2013500639.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012254745.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013183257.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013105492.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012139537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012690992.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013698188.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013364917.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013623021.00000254DA85F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012538251.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013034623.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012825671.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012922537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013254429.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000002.3271862160.00000254DA85F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013623021.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2218540742.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211228015.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2219081964.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210597001.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211228015.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Creal.exe, 00000000.00000003.2013500639.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012254745.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013183257.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013105492.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012139537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012690992.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013698188.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013364917.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012538251.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013034623.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012825671.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012922537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013254429.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013623021.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211228015.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2219081964.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210597001.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211504439.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210129930.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2218889031.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210469463.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Creal.exe, 00000000.00000003.2013500639.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012254745.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013183257.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013105492.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012139537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012690992.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013698188.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013364917.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012538251.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013034623.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012825671.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012922537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013254429.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013623021.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211228015.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2219081964.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211504439.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2218889031.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210291653.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2218359211.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210730627.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Creal.exe, 00000007.00000003.2209952073.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2219081964.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210493160.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2216922370.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2209644682.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Creal.exe, 00000000.00000003.2013500639.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012254745.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013183257.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013105492.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012139537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012690992.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013698188.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013364917.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012538251.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013034623.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012825671.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012922537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013254429.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013623021.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211228015.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2219081964.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210597001.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211504439.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210129930.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2218889031.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210469463.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3274326927.000002710DED9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: Creal.exe, 00000002.00000002.3275182087.000002710E769000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274878907.000001981A59F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD19000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3274326927.000002710DED9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819B53000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: Creal.exe, 00000002.00000002.3275614832.000002710EFC4000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3275493075.000002710EEC0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3275493075.000002710EE40000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3274825814.000002710E410000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3274326927.000002710DED9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3275614832.000002710EF94000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3275460819.000001981AC90000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3275594391.000001981ADE4000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3275594391.000001981AE14000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819A30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819990000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274690309.000001981A290000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3275460819.000001981AD10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: Creal.exe, 00000002.00000002.3275493075.000002710EE40000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3275460819.000001981AC90000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819C93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: Creal.exe, 00000002.00000002.3274456628.000002710DFD0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274301567.0000019819E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: Creal.exe, 00000002.00000002.3274546348.000002710E0D0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274402392.0000019819F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar.tar.gz
Source: Creal.exe, 00000002.00000002.3274546348.000002710E0D0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274402392.0000019819F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar.tgz
Source: Creal.exe, 00000002.00000002.3274326927.000002710DED9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253525634.0000019819AD7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253525634.0000019819A35000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2252503496.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2252503496.0000019819BEE000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819A30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253852884.0000019819CC7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819AD7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3272835079.00000198192DF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819B53000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253265305.0000019819A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: Creal.exe, 00000002.00000002.3273533573.000002710DC9A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3274326927.000002710DED9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2252503496.0000019819BEE000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3272835079.00000198192DF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819B53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail
Source: Creal.exe, 00000008.00000002.3273426350.0000019819AD7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819B53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3274326927.000002710DED9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2252503496.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274131424.0000019819D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3274326927.000002710DED9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253525634.0000019819A35000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2252503496.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819A30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253852884.0000019819CC7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253265305.0000019819A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/
Source: curl.exe, 00000005.00000002.2047927659.000001BAD5617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ifconfig.me/
Source: curl.exe, 00000005.00000002.2047927659.000001BAD5617000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ifconfig.me/infa
Source: Creal.exe, 00000002.00000002.3274326927.000002710DF8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: Creal.exe, 00000000.00000003.2013500639.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012254745.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013183257.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013105492.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012139537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012690992.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013698188.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013364917.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012538251.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013034623.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012825671.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012922537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013254429.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013623021.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211228015.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2219081964.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210597001.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211504439.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210129930.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2218889031.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210469463.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Creal.exe, 00000000.00000003.2013500639.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012254745.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013183257.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013105492.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012139537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012690992.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013698188.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013364917.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013623021.00000254DA85F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012538251.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013034623.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012825671.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012922537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013254429.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000002.3271862160.00000254DA85F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013623021.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2218540742.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211228015.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2219081964.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210597001.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211228015.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Creal.exe, 00000000.00000003.2013500639.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012254745.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013183257.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013105492.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012139537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012690992.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013698188.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013364917.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013623021.00000254DA85F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012538251.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013034623.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012825671.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012922537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013254429.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000002.3271862160.00000254DA85F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013623021.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2218540742.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211228015.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2219081964.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210597001.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211228015.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Creal.exe, 00000000.00000003.2013500639.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012254745.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013183257.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013105492.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012139537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012690992.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013698188.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013364917.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012538251.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013034623.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012825671.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012922537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013254429.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013623021.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211228015.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2219081964.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211504439.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2218889031.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210291653.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2218359211.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210730627.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: Creal.exe, 00000002.00000002.3273424541.000002710DAD0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3274456628.000002710DFD0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2037764848.000002710D825000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274301567.0000019819E90000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2239361588.00000198195E9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274182061.0000019819D90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: Creal.exe, 00000002.00000002.3273533573.000002710DC00000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3274326927.000002710DED9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3272835079.0000019819250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: Creal.exe, 00000008.00000002.3273426350.0000019819A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/e__V
Source: Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/orsrH
Source: Creal.exe, 00000008.00000002.3272835079.0000019819250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/p
Source: Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/r
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3274326927.000002710DED9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819B53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: Creal.exe, 00000002.00000002.3275937955.000002710F098000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3275937955.000002710F0BC000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3275912878.000001981AEE8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: Creal.exe, 00000002.00000002.3274326927.000002710DF8E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: Creal.exe, 00000002.00000002.3274825814.000002710E410000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274690309.000001981A290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: Creal.exe, 00000002.00000002.3275182087.000002710E769000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: Creal.exe, 00000002.00000002.3274326927.000002710DF8E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274131424.0000019819D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: Creal.exe, 00000008.00000002.3274131424.0000019819D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crlm-
Source: Creal.exe, 00000002.00000002.3273533573.000002710DC00000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274131424.0000019819D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: Creal.exe, 00000002.00000002.3273533573.000002710DC00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htma2
Source: Creal.exe, 00000002.00000002.3273533573.000002710DC00000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274131424.0000019819D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: Creal.exe, 00000007.00000003.2221158142.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: Creal.exe, 00000007.00000003.2221228248.0000026DDBC41000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2221158142.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Creal.exe, 00000002.00000002.3273424541.000002710DAD0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2037764848.000002710D825000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274182061.0000019819D90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: Creal.exe, 00000002.00000002.3273533573.000002710DC00000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3275024704.000002710E6FA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274878907.000001981A59F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: Creal.exe, 00000002.00000002.3275024704.000002710E6FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/6
Source: Creal.exe, 00000002.00000003.2077624829.000002710E7E4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3275182087.000002710E769000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2077173911.000002710E7E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: Creal.exe, 00000000.00000003.2013500639.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012254745.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013183257.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013105492.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012139537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012690992.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013698188.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013364917.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012538251.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013034623.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012825671.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2012922537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013254429.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2013623021.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211228015.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2219081964.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210597001.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2211504439.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210129930.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2218889031.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210469463.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3275024704.000002710E6FA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274878907.000001981A59F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: Creal.exe, 00000002.00000003.2039235589.000002710DD37000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273533573.000002710DD19000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253525634.0000019819A35000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819A30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2240741453.0000019819A36000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253265305.0000019819A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: Creal.exe, 00000002.00000002.3274326927.000002710DF8E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819AD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: Creal.exe, 00000002.00000002.3274326927.000002710DF8E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819B53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: Creal.exe, 00000002.00000002.3274326927.000002710DF8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps5
Source: Creal.exe, 00000002.00000002.3275182087.000002710E769000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: Creal.exe, 00000002.00000003.2077624829.000002710E7E4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3275182087.000002710E769000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2077173911.000002710E7E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2252503496.0000019819D09000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: Creal.exe, 00000002.00000002.3273533573.000002710DC9A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3274326927.000002710DED9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2252503496.0000019819BEE000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3272835079.00000198192DF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819B53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://yahoo.com/
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aliexpress.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aliexpress.com)z&
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com)z
Source: Creal.exe, 00000008.00000002.3275912878.000001981AF50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org)
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://binance.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://binance.com)z
Source: Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://blog.jaraco.com/skeleton
Source: Creal.exe, 00000002.00000002.3274731445.000002710E310000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274596226.000001981A190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue44497.
Source: Creal.exe, 00000008.00000002.3273252584.0000019819790000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1068916221354983427/1074265014560620554/e6fd316fb3544f2811361
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cloud.google.com/appengine/docs/standard/runtimes
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://coinbase.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://coinbase.com)z
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crunchyroll.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crunchyroll.com)z
Source: Creal.exe, 00000000.00000003.2014869136.00000254DA855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io
Source: Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/
Source: Creal.exe, 00000000.00000003.2014869136.00000254DA855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/changelog/
Source: Creal.exe, 00000000.00000003.2014869136.00000254DA855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/installation/
Source: Creal.exe, 00000000.00000003.2014869136.00000254DA855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/security/
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com)z
Source: Creal.exe, 00000008.00000002.3274690309.000001981A290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/users/
Source: Creal.exe, 00000008.00000002.3274596226.000001981A190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v6/users/
Source: Creal.exe, 00000002.00000002.3274825814.000002710E410000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274690309.000001981A290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1304534397680357396/jwWT3Q8Ovv9Vvgd-RNJrwcYvcpgO5pbMYyd8C4eotXdFUJq
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v6/users/
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://disney.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disney.com)z$
Source: Creal.exe, 00000002.00000003.2037448182.000002710D740000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273070510.000002710D6D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2235298280.00000198195E9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2237383252.0000019819652000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2239361588.0000019819661000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2236116679.0000019819612000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2241391582.0000019819661000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273072089.0000019819590000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2236912931.0000019819612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: Creal.exe, 00000002.00000002.3272980516.000002710D5D0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2226885534.000001981933B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: Creal.exe, 00000002.00000002.3272386577.000002710D130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: Creal.exe, 00000002.00000002.3272386577.000002710D130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: Creal.exe, 00000002.00000002.3272386577.000002710D1B4000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3272382328.0000019819054000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: Creal.exe, 00000002.00000002.3272386577.000002710D130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: Creal.exe, 00000002.00000002.3272386577.000002710D1B4000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3272382328.0000019819054000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: Creal.exe, 00000002.00000002.3272386577.000002710D130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: Creal.exe, 00000002.00000002.3272386577.000002710D130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: Creal.exe, 00000002.00000002.3272386577.000002710D130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: Creal.exe, 00000002.00000002.3272852196.000002710D390000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034680927.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035696816.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035087329.000002710D3C0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035299664.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035891536.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034389160.000002710D3C0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036517173.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034159771.000002710D3C3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036158256.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3272835079.0000019819250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.metadata.html
Source: Creal.exe, 00000002.00000002.3273533573.000002710DC9A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
Source: Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/reference/import.html#finders-and-loaders
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ebay.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebay.com)z$
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://epicgames.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://epicgames.com)z
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://expressvpn.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://expressvpn.com)rE
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://geolocation-db.com/jsonp/
Source: Creal.exe, 00000002.00000002.3275937955.000002710F0E8000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3275912878.000001981AF38000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3275912878.000001981AF50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://geolocation-db.com/jsonp/None
Source: Creal.exe, 00000008.00000002.3275912878.000001981AF50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://geolocation-db.com/jsonp/NoneP
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://geolocation-db.com/jsonp/z
Source: Creal.exe, 00000002.00000002.3274456628.000002710DFD0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274301567.0000019819E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: Creal.exe, 00000002.00000002.3273533573.000002710DC00000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2252503496.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253852884.0000019819CC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: Creal.exe, 00000002.00000002.3272852196.000002710D390000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034680927.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035696816.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035087329.000002710D3C0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035299664.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035891536.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034389160.000002710D3C0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036517173.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034159771.000002710D3C3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036158256.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2224452905.000001981928F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2229673788.0000019819286000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3272835079.0000019819250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/astral-sh/ruff
Source: Creal.exe, 00000002.00000002.3274546348.000002710E0D0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2038521530.000002710D82A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274402392.0000019819F90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: Creal.exe, 00000002.00000002.3274637231.000002710E1E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/platformdirs/platformdirs
Source: Creal.exe, 00000008.00000002.3275594391.000001981ADE8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: Creal.exe, 00000000.00000003.2014869136.00000254DA855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography
Source: Creal.exe, 00000000.00000003.2014869136.00000254DA855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/
Source: Creal.exe, 00000000.00000003.2014869136.00000254DA855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
Source: Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: Creal.exe, 00000000.00000003.2014869136.00000254DA855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
Source: Creal.exe, 00000008.00000002.3274301567.0000019819E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging
Source: Creal.exe, 00000002.00000002.3274731445.000002710E310000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274596226.000001981A190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
Source: Creal.exe, 00000002.00000002.3274731445.000002710E310000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274596226.000001981A190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
Source: Creal.exe, 00000008.00000002.3274596226.000001981A190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/new?template=distutils-deprecation.yml
Source: Creal.exe, 00000002.00000002.3272386577.000002710D1B4000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3272382328.0000019819054000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2224452905.000001981928F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2229673788.0000019819286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: Creal.exe, 00000008.00000002.3272835079.0000019819250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: Creal.exe, 00000002.00000002.3272852196.000002710D390000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034680927.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035696816.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035087329.000002710D3C0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035299664.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035891536.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034389160.000002710D3C0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036517173.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034159771.000002710D3C3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036158256.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2230841946.0000019819274000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2224452905.000001981928F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2229673788.0000019819286000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3272835079.0000019819250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: Creal.exe, 00000002.00000003.2037448182.000002710D740000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2037811984.000002710D858000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273070510.000002710D6D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2037764848.000002710D825000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2037995997.000002710D85F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2037390047.000002710D851000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2238497400.00000198196FC000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2239361588.000001981966C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2237823168.00000198196FC000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2235298280.00000198196FC000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2241391582.0000019819661000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273072089.0000019819590000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2236385058.00000198196FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata
Source: Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/actions/workflows/main.yml/badge.svg
Source: Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/actions?query=workflow%3A%22tests%22
Source: Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/issues
Source: Creal.exe, 00000002.00000002.3273424541.000002710DAD0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274182061.0000019819D90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
Source: Creal.exe, 00000002.00000002.3272852196.000002710D390000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034680927.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035696816.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035087329.000002710D3C0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035299664.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035891536.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034389160.000002710D3C0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036517173.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034159771.000002710D3C3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036158256.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2224452905.000001981928F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2229673788.0000019819286000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3272835079.0000019819250000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2252503496.0000019819BFE000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819BFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/497
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gmail.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gmail.com)z
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hbo.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hbo.com)z
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hotmail.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotmail.com)z
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3274326927.000002710DED9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253525634.0000019819A35000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2252503496.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819A30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253852884.0000019819CC7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253265305.0000019819A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: Creal.exe, 00000008.00000002.3275460819.000001981AD10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273072089.0000019819590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/badge/skeleton-2024-informational
Source: Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/charliermarsh/ruff/main/assets
Source: Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/pyversions/importlib_metadata.svg
Source: Creal.exe, 00000000.00000003.2014869136.00000254DA855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
Source: Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/importlib_metadata.svg
Source: Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://importlib-metadata.readthedocs.io/
Source: Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://importlib-metadata.readthedocs.io/en/latest/?badge=latest
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://instagram.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://instagram.com)z
Source: Creal.exe, 00000008.00000003.2253265305.0000019819A30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2240741453.0000019819C02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: Creal.exe, 00000002.00000003.2038726837.000002710DCFF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2038752381.000002710DCBB000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273533573.000002710DC9A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819990000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2239166710.0000019819AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: Creal.exe, 00000000.00000003.2014869136.00000254DA855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://minecraft.net)
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://netflix.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://netflix.com))
Source: Creal.exe, 00000002.00000003.2077624829.000002710E7E4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3275182087.000002710E769000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2077173911.000002710E7E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://origin.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://origin.com)z
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com)z&
Source: Creal.exe, 00000002.00000002.3274825814.000002710E410000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274690309.000001981A290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/guides/packaging-namespace-packages/.
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/
Source: Creal.exe, 00000002.00000002.3274731445.000002710E310000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274596226.000001981A190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata
Source: Creal.exe, 00000002.00000002.3274825814.000002710E410000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274690309.000001981A290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/
Source: Creal.exe, 00000002.00000002.3273070510.000002710D6D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253525634.0000019819A35000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819A30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2240741453.0000019819A36000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253265305.0000019819A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/#file-format
Source: Creal.exe, 00000002.00000002.3274825814.000002710E410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/PWD
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD19000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253525634.0000019819AD7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819AD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/pyproject-toml/#declaring-project-metadata-the
Source: Creal.exe, 00000002.00000002.3273070510.000002710D6D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253525634.0000019819A35000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819A30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2240741453.0000019819A36000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253265305.0000019819A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file
Source: Creal.exe, 00000002.00000002.3274731445.000002710E310000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274596226.000001981A190000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2241312007.0000019819C05000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2240741453.0000019819C02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://paypal.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paypal.com)z
Source: Creal.exe, 00000002.00000002.3273250756.000002710D8D0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2032561263.000002710D391000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273252584.0000019819790000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2224235353.0000019819251000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: Creal.exe, 00000002.00000002.3278699143.00007FF8A8CF8000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0685/
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://playstation.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://playstation.com)z
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pornhub.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pornhub.com)z
Source: Creal.exe, 00000008.00000002.3274596226.000001981A190000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274690309.000001981A290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/build/).
Source: Creal.exe, 00000000.00000003.2014869136.00000254DA855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/cryptography/
Source: Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/importlib_metadata
Source: Creal.exe, 00000008.00000002.3274690309.000001981A290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/injection/main/index.js
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/injection/main/index.js)
Source: Creal.exe, 00000000.00000003.2014869136.00000254DA855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
Source: Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://readthedocs.org/projects/importlib-metadata/badge/?version=latest
Source: Creal.exe, 00000002.00000002.3274456628.000002710DFD0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274301567.0000019819E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: Creal.exe, 00000008.00000002.3275594391.000001981ADE8000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273072089.0000019819590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://riotgames.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riotgames.com)z
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://roblox.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://roblox.com)z
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sellix.io)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sellix.io)z
Source: Creal.exe, 00000008.00000002.3274690309.000001981A290000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2240741453.0000019819C02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/
Source: Creal.exe, 00000002.00000003.2036893555.000002710D847000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036941508.000002710D7DA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036991859.000002710D847000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036991859.000002710D7F2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2233919145.000001981974B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2234333726.000001981975B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html
Source: Creal.exe, 00000002.00000003.2036965595.000002710D7F6000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036991859.000002710D7F7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036893555.000002710D847000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2037199696.000002710D86F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2037811984.000002710D858000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2038521530.000002710D83D000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036941508.000002710D7DA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2037764848.000002710D825000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2037995997.000002710D85F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273070510.000002710D81F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036991859.000002710D847000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2037390047.000002710D851000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2233919145.000001981974B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2237737394.00000198192D5000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3272835079.00000198192DF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2234333726.000001981975B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2233949623.0000019819720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: Creal.exe, 00000002.00000002.3273337784.000002710D9D0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273339355.0000019819890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages
Source: Creal.exe, 00000002.00000003.2036893555.000002710D808000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036893555.000002710D847000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036991859.000002710D847000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2234942777.0000019819774000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2233919145.000001981974B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2234333726.000001981975B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr;
Source: Creal.exe, 00000002.00000003.2036893555.000002710D808000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036893555.000002710D847000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036991859.000002710D847000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2234942777.0000019819774000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2233919145.000001981974B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2234333726.000001981975B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr;r
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spotify.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spotify.com)z
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steam.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.com)z
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://telegram.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telegram.com)z
Source: Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/badges/package/pypi/importlib-metadata
Source: Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-importlib-metadata?utm_source=pypi-importlib-metadata&utm
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tiktok.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiktok.com)z
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253525634.0000019819A35000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819A30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253265305.0000019819A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: Creal.exe, 00000002.00000002.3275182087.000002710E769000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274878907.000001981A59F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: Creal.exe, 00000002.00000003.2077624829.000002710E7E4000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3275182087.000002710E769000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2077173911.000002710E7E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: Creal.exe, 00000002.00000002.3273533573.000002710DC9A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273072089.0000019819590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitch.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitch.com)z
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com)z
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3274326927.000002710DED9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253525634.0000019819A35000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2252503496.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819A30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253852884.0000019819CC7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253265305.0000019819A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://uber.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uber.com)z
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#https-proxy-error-http-proxy
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#https-proxy-error-http-proxyr
Source: Creal.exe, 00000008.00000002.3274690309.000001981A290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2252991655.00000198199DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/stable/v2-migration-guide.html
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/html/sec-forms.html#multipart-form-data
Source: Creal.exe, 00000002.00000003.2038752381.000002710DCBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www-cs-faculty.stan
Source: Creal.exe, 00000002.00000003.2038462297.000002710DCCF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273070510.000002710D81F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2038462297.000002710DC77000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253525634.0000019819AD7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819AD7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2239166710.0000019819A58000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2239166710.0000019819AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz
Source: Creal.exe, 00000000.00000003.2015491460.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212873713.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/
Source: Creal.exe, 00000000.00000003.2015424905.00000254DA860000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2015491460.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212873713.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212944606.0000026DDBC41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: Creal.exe, 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmp, Creal.exe, 00000002.00000002.3278384247.00007FF8A88D4000.00000002.00000001.01000000.00000010.sdmp, Creal.exe, 00000008.00000002.3285054825.00007FF8B83C0000.00000002.00000001.01000000.0000003C.sdmp, Creal.exe, 00000008.00000002.3278022739.00007FF8A75E4000.00000002.00000001.01000000.00000038.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273072089.0000019819590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: Creal.exe, 00000002.00000003.2038726837.000002710DCFF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2038752381.000002710DCBB000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273533573.000002710DC9A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819990000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2239166710.0000019819AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: Creal.exe, 00000002.00000002.3278699143.00007FF8A8CF8000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: Creal.exe, 00000002.00000002.3275024704.000002710E6FA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274878907.000001981A59F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: Creal.exe, 00000002.00000002.3274326927.000002710DF8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: Creal.exe, 00000008.00000002.3274878907.000001981A59F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/p
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xbox.com)
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com)z
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com)
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com)z

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A825C00	0_2_00007FF77A825C00
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A8089E0	0_2_00007FF77A8089E0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A826964	0_2_00007FF77A826964
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A801000	0_2_00007FF77A801000
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A8208C8	0_2_00007FF77A8208C8
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A823C10	0_2_00007FF77A823C10
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A812C10	0_2_00007FF77A812C10
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A811B50	0_2_00007FF77A811B50
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A80ACAD	0_2_00007FF77A80ACAD
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A826418	0_2_00007FF77A826418
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A8208C8	0_2_00007FF77A8208C8
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A80A474	0_2_00007FF77A80A474
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A8139A4	0_2_00007FF77A8139A4
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A811944	0_2_00007FF77A811944
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A812164	0_2_00007FF77A812164
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A80A2DB	0_2_00007FF77A80A2DB
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A81DA5C	0_2_00007FF77A81DA5C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A809800	0_2_00007FF77A809800
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A829728	0_2_00007FF77A829728
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A811740	0_2_00007FF77A811740
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A811F60	0_2_00007FF77A811F60
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A818794	0_2_00007FF77A818794
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A8240AC	0_2_00007FF77A8240AC
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A8180E4	0_2_00007FF77A8180E4
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A821874	0_2_00007FF77A821874
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A8135A0	0_2_00007FF77A8135A0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A815D30	0_2_00007FF77A815D30
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A811D54	0_2_00007FF77A811D54
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A81E570	0_2_00007FF77A81E570
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A819EA0	0_2_00007FF77A819EA0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A81DEF0	0_2_00007FF77A81DEF0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A825E7C	0_2_00007FF77A825E7C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A826964	2_2_00007FF77A826964
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A801000	2_2_00007FF77A801000
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A823C10	2_2_00007FF77A823C10
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A812C10	2_2_00007FF77A812C10
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A825C00	2_2_00007FF77A825C00
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A811B50	2_2_00007FF77A811B50
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A80ACAD	2_2_00007FF77A80ACAD
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A826418	2_2_00007FF77A826418
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A8208C8	2_2_00007FF77A8208C8
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A80A474	2_2_00007FF77A80A474
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A8139A4	2_2_00007FF77A8139A4
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A8089E0	2_2_00007FF77A8089E0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A811944	2_2_00007FF77A811944
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A812164	2_2_00007FF77A812164
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A80A2DB	2_2_00007FF77A80A2DB
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A81DA5C	2_2_00007FF77A81DA5C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A809800	2_2_00007FF77A809800
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A829728	2_2_00007FF77A829728
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A811740	2_2_00007FF77A811740
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A811F60	2_2_00007FF77A811F60
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A818794	2_2_00007FF77A818794
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A8240AC	2_2_00007FF77A8240AC
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A8208C8	2_2_00007FF77A8208C8
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A8180E4	2_2_00007FF77A8180E4
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A821874	2_2_00007FF77A821874
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A8135A0	2_2_00007FF77A8135A0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A815D30	2_2_00007FF77A815D30
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A811D54	2_2_00007FF77A811D54
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A81E570	2_2_00007FF77A81E570
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A819EA0	2_2_00007FF77A819EA0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A81DEF0	2_2_00007FF77A81DEF0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A825E7C	2_2_00007FF77A825E7C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A81B1950	2_2_00007FF8A81B1950
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A81B2270	2_2_00007FF8A81B2270
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A81B1300	2_2_00007FF8A81B1300
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A8282250	2_2_00007FF8A8282250
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82792B0	2_2_00007FF8A82792B0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A8276930	2_2_00007FF8A8276930
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82C2950	2_2_00007FF8A82C2950
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82899A0	2_2_00007FF8A82899A0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A826FA10	2_2_00007FF8A826FA10
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82C4B20	2_2_00007FF8A82C4B20
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82CBB00	2_2_00007FF8A82CBB00
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A830FB10	2_2_00007FF8A830FB10
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82B6B40	2_2_00007FF8A82B6B40
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A8269B90	2_2_00007FF8A8269B90
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A8312BF0	2_2_00007FF8A8312BF0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A8263C10	2_2_00007FF8A8263C10
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82E4C70	2_2_00007FF8A82E4C70
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A829CC59	2_2_00007FF8A829CC59
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82BCC40	2_2_00007FF8A82BCC40
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82F2C40	2_2_00007FF8A82F2C40
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A827CC40	2_2_00007FF8A827CC40
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82EACA0	2_2_00007FF8A82EACA0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82ABC80	2_2_00007FF8A82ABC80
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82F8C80	2_2_00007FF8A82F8C80
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82B0CE0	2_2_00007FF8A82B0CE0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82BBCC0	2_2_00007FF8A82BBCC0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A826BD30	2_2_00007FF8A826BD30
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A8279D00	2_2_00007FF8A8279D00
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A828DDB0	2_2_00007FF8A828DDB0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A8270DC0	2_2_00007FF8A8270DC0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82A4E70	2_2_00007FF8A82A4E70
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82FCEA0	2_2_00007FF8A82FCEA0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82DCF30	2_2_00007FF8A82DCF30
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A8314FC0	2_2_00007FF8A8314FC0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A830DFE0	2_2_00007FF8A830DFE0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82EBFC0	2_2_00007FF8A82EBFC0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A8288020	2_2_00007FF8A8288020
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A8307060	2_2_00007FF8A8307060
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A8287040	2_2_00007FF8A8287040
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82EE0F0	2_2_00007FF8A82EE0F0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A83180B0	2_2_00007FF8A83180B0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A8264120	2_2_00007FF8A8264120
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82721E0	2_2_00007FF8A82721E0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A830B230	2_2_00007FF8A830B230
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A83172C0	2_2_00007FF8A83172C0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A827D2B0	2_2_00007FF8A827D2B0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A83062A0	2_2_00007FF8A83062A0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A828F2F0	2_2_00007FF8A828F2F0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82632F5	2_2_00007FF8A82632F5
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82AF2D0	2_2_00007FF8A82AF2D0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A83242B0	2_2_00007FF8A83242B0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A8267336	2_2_00007FF8A8267336
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A828D310	2_2_00007FF8A828D310
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82EA300	2_2_00007FF8A82EA300
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A830A310	2_2_00007FF8A830A310
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82C7350	2_2_00007FF8A82C7350
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82D43B0	2_2_00007FF8A82D43B0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A827C380	2_2_00007FF8A827C380
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A8307460	2_2_00007FF8A8307460
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A83054A0	2_2_00007FF8A83054A0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82694D0	2_2_00007FF8A82694D0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82AA510	2_2_00007FF8A82AA510
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A8264570	2_2_00007FF8A8264570
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82BB5B0	2_2_00007FF8A82BB5B0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82915A0	2_2_00007FF8A82915A0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82845A0	2_2_00007FF8A82845A0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A828E5C0	2_2_00007FF8A828E5C0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82BE670	2_2_00007FF8A82BE670
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A8273650	2_2_00007FF8A8273650
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82E86B0	2_2_00007FF8A82E86B0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A83196C0	2_2_00007FF8A83196C0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82C06C0	2_2_00007FF8A82C06C0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82D7750	2_2_00007FF8A82D7750
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82D27E6	2_2_00007FF8A82D27E6
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A8264820	2_2_00007FF8A8264820
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A831A860	2_2_00007FF8A831A860
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82CC840	2_2_00007FF8A82CC840
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A83188D0	2_2_00007FF8A83188D0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A826288E	2_2_00007FF8A826288E
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82A5880	2_2_00007FF8A82A5880
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A83118A0	2_2_00007FF8A83118A0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A826A8C0	2_2_00007FF8A826A8C0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1618	2_2_00007FF8A92D1618
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1EE2	2_2_00007FF8A92D1EE2
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9308920	2_2_00007FF8A9308920
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A934AC80	2_2_00007FF8A934AC80
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1A0F	2_2_00007FF8A92D1A0F
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D2617	2_2_00007FF8A92D2617
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1B54	2_2_00007FF8A92D1B54
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D117C	2_2_00007FF8A92D117C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1CBC	2_2_00007FF8A92D1CBC
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D149C	2_2_00007FF8A92D149C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D2702	2_2_00007FF8A92D2702
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1D93	2_2_00007FF8A92D1D93
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D16FE	2_2_00007FF8A92D16FE
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9348870	2_2_00007FF8A9348870
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D8720	2_2_00007FF8A92D8720
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D116D	2_2_00007FF8A92D116D
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9319A60	2_2_00007FF8A9319A60
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92FBAE0	2_2_00007FF8A92FBAE0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A931D980	2_2_00007FF8A931D980
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1596	2_2_00007FF8A92D1596
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9315C00	2_2_00007FF8A9315C00
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D155A	2_2_00007FF8A92D155A
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A931DE50	2_2_00007FF8A931DE50
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1546	2_2_00007FF8A92D1546
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D21E4	2_2_00007FF8A92D21E4
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1FDC	2_2_00007FF8A92D1FDC
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92F6030	2_2_00007FF8A92F6030
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1AD7	2_2_00007FF8A92D1AD7
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D24DC	2_2_00007FF8A92D24DC
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A933D2D0	2_2_00007FF8A933D2D0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1C12	2_2_00007FF8A92D1C12
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D17F8	2_2_00007FF8A92D17F8
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A9343650	2_2_00007FF8A9343650
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D21C6	2_2_00007FF8A92D21C6
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D13DE	2_2_00007FF8A92D13DE
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D1654	2_2_00007FF8A92D1654
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8B7E054E8	2_2_00007FF8B7E054E8
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8B7E05CBC	2_2_00007FF8B7E05CBC
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8B7E0BF74	2_2_00007FF8B7E0BF74
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8B7E08734	2_2_00007FF8B7E08734
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11E6964	7_2_00007FF6A11E6964
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11C89E0	7_2_00007FF6A11C89E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11E5C00	7_2_00007FF6A11E5C00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11E08C8	7_2_00007FF6A11E08C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11C1000	7_2_00007FF6A11C1000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11DDA5C	7_2_00007FF6A11DDA5C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11CA2DB	7_2_00007FF6A11CA2DB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11D2164	7_2_00007FF6A11D2164
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11D1944	7_2_00007FF6A11D1944
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11D39A4	7_2_00007FF6A11D39A4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11CA474	7_2_00007FF6A11CA474
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11CACAD	7_2_00007FF6A11CACAD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11D5D30	7_2_00007FF6A11D5D30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11D1B50	7_2_00007FF6A11D1B50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11E08C8	7_2_00007FF6A11E08C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11E6418	7_2_00007FF6A11E6418
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11D2C10	7_2_00007FF6A11D2C10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11E3C10	7_2_00007FF6A11E3C10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11D9EA0	7_2_00007FF6A11D9EA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11E5E7C	7_2_00007FF6A11E5E7C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11DDEF0	7_2_00007FF6A11DDEF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11E9728	7_2_00007FF6A11E9728
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11DE570	7_2_00007FF6A11DE570
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11D1D54	7_2_00007FF6A11D1D54
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11D35A0	7_2_00007FF6A11D35A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11E1874	7_2_00007FF6A11E1874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11E40AC	7_2_00007FF6A11E40AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11D80E4	7_2_00007FF6A11D80E4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11D1F60	7_2_00007FF6A11D1F60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11D1740	7_2_00007FF6A11D1740
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11D8794	7_2_00007FF6A11D8794
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11C9800	7_2_00007FF6A11C9800
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11E6964	8_2_00007FF6A11E6964
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11C1000	8_2_00007FF6A11C1000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11DDA5C	8_2_00007FF6A11DDA5C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11CA2DB	8_2_00007FF6A11CA2DB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11D2164	8_2_00007FF6A11D2164
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11D1944	8_2_00007FF6A11D1944
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11D39A4	8_2_00007FF6A11D39A4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11C89E0	8_2_00007FF6A11C89E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11CA474	8_2_00007FF6A11CA474
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11CACAD	8_2_00007FF6A11CACAD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11D5D30	8_2_00007FF6A11D5D30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11D1B50	8_2_00007FF6A11D1B50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11E08C8	8_2_00007FF6A11E08C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11E6418	8_2_00007FF6A11E6418
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11E5C00	8_2_00007FF6A11E5C00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11D2C10	8_2_00007FF6A11D2C10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11E3C10	8_2_00007FF6A11E3C10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11D9EA0	8_2_00007FF6A11D9EA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11E5E7C	8_2_00007FF6A11E5E7C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11DDEF0	8_2_00007FF6A11DDEF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11E9728	8_2_00007FF6A11E9728
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11DE570	8_2_00007FF6A11DE570
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11D1D54	8_2_00007FF6A11D1D54
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11D35A0	8_2_00007FF6A11D35A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11E1874	8_2_00007FF6A11E1874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11E40AC	8_2_00007FF6A11E40AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11D80E4	8_2_00007FF6A11D80E4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11E08C8	8_2_00007FF6A11E08C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11D1F60	8_2_00007FF6A11D1F60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11D1740	8_2_00007FF6A11D1740
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11D8794	8_2_00007FF6A11D8794
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11C9800	8_2_00007FF6A11C9800
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7041300	8_2_00007FF8A7041300
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7042270	8_2_00007FF8A7042270
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7041950	8_2_00007FF8A7041950
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79F92B0	8_2_00007FF8A79F92B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A02250	8_2_00007FF8A7A02250
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A64C70	8_2_00007FF8A7A64C70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A25880	8_2_00007FF8A7A25880
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79E288E	8_2_00007FF8A79E288E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79EA8C0	8_2_00007FF8A79EA8C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79E4820	8_2_00007FF8A79E4820
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A4C840	8_2_00007FF8A7A4C840
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A527E6	8_2_00007FF8A7A527E6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A57750	8_2_00007FF8A7A57750
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A406C0	8_2_00007FF8A7A406C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A3E670	8_2_00007FF8A7A3E670
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79F3650	8_2_00007FF8A79F3650
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A045A0	8_2_00007FF8A7A045A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A3B5B0	8_2_00007FF8A7A3B5B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A115A0	8_2_00007FF8A7A115A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A0E5C0	8_2_00007FF8A7A0E5C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A2A510	8_2_00007FF8A7A2A510
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79E4570	8_2_00007FF8A79E4570
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A854A0	8_2_00007FF8A7A854A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79E94D0	8_2_00007FF8A79E94D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A543B0	8_2_00007FF8A7A543B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79FC380	8_2_00007FF8A79FC380
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79E7336	8_2_00007FF8A79E7336
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A0D310	8_2_00007FF8A7A0D310
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A6A300	8_2_00007FF8A7A6A300
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A47350	8_2_00007FF8A7A47350
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7AA42B0	8_2_00007FF8A7AA42B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79FD2B0	8_2_00007FF8A79FD2B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A0F2F0	8_2_00007FF8A7A0F2F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79E32F5	8_2_00007FF8A79E32F5
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A2F2D0	8_2_00007FF8A7A2F2D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79F21E0	8_2_00007FF8A79F21E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79E4120	8_2_00007FF8A79E4120
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A08020	8_2_00007FF8A7A08020
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A07040	8_2_00007FF8A7A07040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A94FC0	8_2_00007FF8A7A94FC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A6BFC0	8_2_00007FF8A7A6BFC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A5CF30	8_2_00007FF8A7A5CF30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A7CEA0	8_2_00007FF8A7A7CEA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A24E70	8_2_00007FF8A7A24E70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A0DDB0	8_2_00007FF8A7A0DDB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79F0DC0	8_2_00007FF8A79F0DC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79EBD30	8_2_00007FF8A79EBD30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79F9D00	8_2_00007FF8A79F9D00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A6ACA0	8_2_00007FF8A7A6ACA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A78C80	8_2_00007FF8A7A78C80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A30CE0	8_2_00007FF8A7A30CE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A3BCC0	8_2_00007FF8A7A3BCC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79E3C10	8_2_00007FF8A79E3C10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A1CC59	8_2_00007FF8A7A1CC59
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79FCC40	8_2_00007FF8A79FCC40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A3CC40	8_2_00007FF8A7A3CC40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79E9B90	8_2_00007FF8A79E9B90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A92BF0	8_2_00007FF8A7A92BF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A44B20	8_2_00007FF8A7A44B20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A4BB00	8_2_00007FF8A7A4BB00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A36B40	8_2_00007FF8A7A36B40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79EFA10	8_2_00007FF8A79EFA10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A099A0	8_2_00007FF8A7A099A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A79F6930	8_2_00007FF8A79F6930
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A42950	8_2_00007FF8A7A42950
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B23323E0	8_2_00007FF8B23323E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B2331FB0	8_2_00007FF8B2331FB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B27B4810	8_2_00007FF8B27B4810
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B27B45C0	8_2_00007FF8B27B45C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B27C2490	8_2_00007FF8B27C2490
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B27C3520	8_2_00007FF8B27C3520
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B27C29B0	8_2_00007FF8B27C29B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B27C2EB0	8_2_00007FF8B27C2EB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B27C1FE0	8_2_00007FF8B27C1FE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B27C1D70	8_2_00007FF8B27C1D70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B27D2120	8_2_00007FF8B27D2120
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B27D1D30	8_2_00007FF8B27D1D30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B4751F00	8_2_00007FF8B4751F00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8301596	8_2_00007FF8B8301596
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B834D980	8_2_00007FF8B834D980
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8349A60	8_2_00007FF8B8349A60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B832BAE0	8_2_00007FF8B832BAE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B830155A	8_2_00007FF8B830155A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8345C00	8_2_00007FF8B8345C00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8301FDC	8_2_00007FF8B8301FDC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B83021E4	8_2_00007FF8B83021E4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B830149C	8_2_00007FF8B830149C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8301B54	8_2_00007FF8B8301B54
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B830117C	8_2_00007FF8B830117C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B8302702	8_2_00007FF8B8302702
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8BFB660B4	8_2_00007FF8BFB660B4

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: String function: 00007FF8B837D32F appears 107 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: String function: 00007FF8A79EA500 appears 163 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: String function: 00007FF8A79E9340 appears 135 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: String function: 00007FF6A11C2910 appears 34 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: String function: 00007FF6A11C2710 appears 104 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: String function: 00007FF8A7A11E20 appears 33 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: String function: 00007FF8B8301325 appears 145 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: String function: 00007FF8B837D341 appears 406 times
Source: C:\Users\user\Desktop\Creal.exe	Code function: String function: 00007FF77A802710 appears 104 times
Source: C:\Users\user\Desktop\Creal.exe	Code function: String function: 00007FF8A934D341 appears 1189 times
Source: C:\Users\user\Desktop\Creal.exe	Code function: String function: 00007FF8A934DB03 appears 45 times
Source: C:\Users\user\Desktop\Creal.exe	Code function: String function: 00007FF8A934D32F appears 323 times
Source: C:\Users\user\Desktop\Creal.exe	Code function: String function: 00007FF8A934D33B appears 43 times
Source: C:\Users\user\Desktop\Creal.exe	Code function: String function: 00007FF8A8269340 appears 136 times
Source: C:\Users\user\Desktop\Creal.exe	Code function: String function: 00007FF8A826A500 appears 179 times
Source: C:\Users\user\Desktop\Creal.exe	Code function: String function: 00007FF8A934D425 appears 47 times
Source: C:\Users\user\Desktop\Creal.exe	Code function: String function: 00007FF8A8291E20 appears 33 times
Source: C:\Users\user\Desktop\Creal.exe	Code function: String function: 00007FF77A802910 appears 34 times
Source: C:\Users\user\Desktop\Creal.exe	Code function: String function: 00007FF8A92D1325 appears 471 times

Source: _overlapped.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: _overlapped.pyd.7.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.7.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: python3.dll.0.dr	Static PE information: No import functions for PE file found
Source: python3.dll.7.dr	Static PE information: No import functions for PE file found

Source: Creal.exe, 00000000.00000003.2013500639.00000254DA852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Creal.exe
Source: Creal.exe, 00000000.00000003.2012254745.00000254DA852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Creal.exe
Source: Creal.exe, 00000000.00000003.2013183257.00000254DA852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs Creal.exe
Source: Creal.exe, 00000000.00000003.2013105492.00000254DA852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs Creal.exe
Source: Creal.exe, 00000000.00000003.2012139537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs Creal.exe
Source: Creal.exe, 00000000.00000003.2012690992.00000254DA852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs Creal.exe
Source: Creal.exe, 00000000.00000003.2013698188.00000254DA852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_wmi.pyd. vs Creal.exe
Source: Creal.exe, 00000000.00000003.2013364917.00000254DA852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs Creal.exe
Source: Creal.exe, 00000000.00000003.2011920912.00000254DA852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Creal.exe
Source: Creal.exe, 00000000.00000003.2012043835.00000254DA852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs Creal.exe
Source: Creal.exe, 00000000.00000003.2012538251.00000254DA852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Creal.exe
Source: Creal.exe, 00000000.00000003.2013034623.00000254DA852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs Creal.exe
Source: Creal.exe, 00000000.00000003.2012825671.00000254DA852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Creal.exe
Source: Creal.exe, 00000000.00000003.2012922537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Creal.exe
Source: Creal.exe, 00000000.00000003.2013254429.00000254DA852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Creal.exe
Source: Creal.exe, 00000000.00000003.2013623021.00000254DA852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs Creal.exe
Source: Creal.exe	Binary or memory string: OriginalFilename vs Creal.exe
Source: Creal.exe, 00000002.00000002.3277410291.00007FF8A83C8000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs Creal.exe
Source: Creal.exe, 00000002.00000002.3287632679.00007FF8B8C1D000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Creal.exe
Source: Creal.exe, 00000002.00000002.3286967003.00007FF8B8AF6000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Creal.exe
Source: Creal.exe, 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Creal.exe
Source: Creal.exe, 00000002.00000002.3271977344.000002710B860000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs Creal.exe
Source: Creal.exe, 00000002.00000002.3287445318.00007FF8B8B43000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Creal.exe
Source: Creal.exe, 00000002.00000002.3288058332.00007FF8B8F8E000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Creal.exe
Source: Creal.exe, 00000002.00000002.3277146190.00007FF8A825C000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs Creal.exe
Source: Creal.exe, 00000002.00000002.3286740314.00007FF8B8835000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs Creal.exe
Source: Creal.exe, 00000002.00000002.3288268864.00007FF8B93D2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Creal.exe
Source: Creal.exe, 00000002.00000002.3279822614.00007FF8A8F30000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython313.dll. vs Creal.exe
Source: Creal.exe, 00000002.00000002.3287163419.00007FF8B8B13000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Creal.exe
Source: Creal.exe, 00000002.00000002.3288893559.00007FF8BA4F8000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_wmi.pyd. vs Creal.exe
Source: Creal.exe, 00000002.00000002.3288498510.00007FF8B9849000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs Creal.exe
Source: Creal.exe, 00000002.00000002.3286352404.00007FF8B7E5E000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs Creal.exe
Source: Creal.exe, 00000002.00000002.3288688711.00007FF8BA25A000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Creal.exe
Source: Creal.exe, 00000002.00000002.3285073839.00007FF8B7DFC000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs Creal.exe
Source: Creal.exe, 00000002.00000002.3287840906.00007FF8B8CB6000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs Creal.exe
Source: Creal.exe, 00000002.00000002.3278384247.00007FF8A88D4000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs Creal.exe
Source: Creal.exe, 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Creal.exe
Source: Creal.exe, 00000007.00000003.2211228015.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Creal.exe
Source: Creal.exe, 00000007.00000003.2210597001.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs Creal.exe
Source: Creal.exe, 00000007.00000003.2210129930.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Creal.exe
Source: Creal.exe, 00000007.00000003.2210469463.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs Creal.exe
Source: Creal.exe, 00000007.00000003.2210291653.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Creal.exe
Source: Creal.exe, 00000007.00000003.2210730627.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs Creal.exe
Source: Creal.exe, 00000007.00000003.2210620588.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs Creal.exe
Source: Creal.exe, 00000007.00000003.2208996602.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs Creal.exe
Source: Creal.exe, 00000007.00000003.2208832150.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs Creal.exe
Source: Creal.exe, 00000007.00000003.2209177620.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Creal.exe
Source: Creal.exe, 00000007.00000003.2209952073.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs Creal.exe
Source: Creal.exe, 00000007.00000003.2208640243.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Creal.exe
Source: Creal.exe, 00000007.00000003.2210493160.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs Creal.exe
Source: Creal.exe, 00000007.00000003.2209644682.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Creal.exe
Source: Creal.exe	Binary or memory string: OriginalFilename vs Creal.exe
Source: Creal.exe, 00000008.00000002.3287250834.00007FF8B9126000.00000002.00000001.01000000.00000036.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs Creal.exe
Source: Creal.exe, 00000008.00000002.3286608643.00007FF8B90E6000.00000002.00000001.01000000.0000003A.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Creal.exe
Source: Creal.exe, 00000008.00000002.3285054825.00007FF8B83C0000.00000002.00000001.01000000.0000003C.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Creal.exe
Source: Creal.exe, 00000008.00000002.3287947160.00007FF8B91A3000.00000002.00000001.01000000.00000032.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Creal.exe
Source: Creal.exe, 00000008.00000002.3288351032.00007FF8BA522000.00000002.00000001.01000000.00000031.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Creal.exe
Source: Creal.exe, 00000008.00000002.3278367336.00007FF8A7B48000.00000002.00000001.01000000.0000003E.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs Creal.exe
Source: Creal.exe, 00000008.00000002.3279740292.00007FF8A81A0000.00000002.00000001.01000000.0000002C.sdmp	Binary or memory string: OriginalFilenamepython313.dll. vs Creal.exe
Source: Creal.exe, 00000008.00000002.3278022739.00007FF8A75E4000.00000002.00000001.01000000.00000038.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs Creal.exe
Source: Creal.exe, 00000008.00000002.3287678006.00007FF8B9179000.00000002.00000001.01000000.00000034.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs Creal.exe
Source: Creal.exe, 00000008.00000002.3287467530.00007FF8B915E000.00000002.00000001.01000000.00000035.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs Creal.exe
Source: Creal.exe, 00000008.00000002.3288933607.00007FF8BFBAA000.00000002.00000001.01000000.0000002D.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Creal.exe

Source: classification engine

Classification label: mal96.troj.adwa.spyw.winEXE@16/193@4/5

Source: C:\Users\user\Desktop\Creal.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5428:120:WilError_03

Source: C:\Users\user\Desktop\Creal.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI39642

Jump to behavior

Source: Creal.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Creal.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Creal.exe, 00000002.00000002.3277331741.00007FF8A8394000.00000002.00000001.01000000.00000016.sdmp, Creal.exe, 00000008.00000002.3278284280.00007FF8A7B14000.00000002.00000001.01000000.0000003E.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Creal.exe, 00000002.00000002.3274825814.000002710E410000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274690309.000001981A290000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT action_url, username_value, password_value FROM logins;
Source: Creal.exe, 00000002.00000002.3277331741.00007FF8A8394000.00000002.00000001.01000000.00000016.sdmp, Creal.exe, 00000008.00000002.3278284280.00007FF8A7B14000.00000002.00000001.01000000.0000003E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Creal.exe, 00000002.00000002.3277331741.00007FF8A8394000.00000002.00000001.01000000.00000016.sdmp, Creal.exe, 00000008.00000002.3278284280.00007FF8A7B14000.00000002.00000001.01000000.0000003E.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Creal.exe, 00000002.00000002.3277331741.00007FF8A8394000.00000002.00000001.01000000.00000016.sdmp, Creal.exe, 00000008.00000002.3278284280.00007FF8A7B14000.00000002.00000001.01000000.0000003E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: Creal.exe, Creal.exe, 00000008.00000002.3278284280.00007FF8A7B14000.00000002.00000001.01000000.0000003E.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Creal.exe, 00000002.00000002.3277331741.00007FF8A8394000.00000002.00000001.01000000.00000016.sdmp, Creal.exe, 00000008.00000002.3278284280.00007FF8A7B14000.00000002.00000001.01000000.0000003E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Creal.exe, 00000008.00000003.2269981623.000001981A75C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Creal.exe, 00000002.00000002.3277331741.00007FF8A8394000.00000002.00000001.01000000.00000016.sdmp, Creal.exe, 00000008.00000002.3278284280.00007FF8A7B14000.00000002.00000001.01000000.0000003E.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: Creal.exe

ReversingLabs: Detection: 15%

Source: C:\Users\user\Desktop\Creal.exe

File read: C:\Users\user\Desktop\Creal.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Creal.exe "C:\Users\user\Desktop\Creal.exe"
Source: C:\Users\user\Desktop\Creal.exe	Process created: C:\Users\user\Desktop\Creal.exe "C:\Users\user\Desktop\Creal.exe"
Source: C:\Users\user\Desktop\Creal.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl ifconfig.me"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl ifconfig.me
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe"
Source: C:\Windows\System32\curl.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl ifconfig.me"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl ifconfig.me
Source: C:\Users\user\Desktop\Creal.exe	Process created: C:\Users\user\Desktop\Creal.exe "C:\Users\user\Desktop\Creal.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl ifconfig.me"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl ifconfig.me	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl ifconfig.me"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl ifconfig.me	Jump to behavior

Source: C:\Users\user\Desktop\Creal.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Creal.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Creal.exe

Static file information: File size 16912015 > 1048576

Source: Creal.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Creal.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Creal.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Creal.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Creal.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Creal.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Creal.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Creal.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Creal.exe, 00000002.00000002.3276941699.00007FF8A8257000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: Creal.exe, 00000002.00000002.3278024317.00007FF8A882A000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: Creal.exe, 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb(('GCTL source: Creal.exe, 00000000.00000003.2013698188.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3288809045.00007FF8BA4F4000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: Creal.exe, 00000000.00000003.2013105492.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210597001.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Creal.exe, 00000000.00000003.2011920912.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3288624877.00007FF8BA254000.00000002.00000001.01000000.00000005.sdmp, Creal.exe, 00000007.00000003.2208617865.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3288854433.00007FF8BFBA4000.00000002.00000001.01000000.0000002D.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: Creal.exe, 00000002.00000002.3278024317.00007FF8A8792000.00000002.00000001.01000000.00000010.sdmp, Creal.exe, 00000008.00000002.3277713279.00007FF8A74A2000.00000002.00000001.01000000.00000038.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Creal.exe, 00000000.00000003.2011920912.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3288624877.00007FF8BA254000.00000002.00000001.01000000.00000005.sdmp, Creal.exe, 00000007.00000003.2208617865.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3288854433.00007FF8BFBA4000.00000002.00000001.01000000.0000002D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: Creal.exe, 00000002.00000002.3277331741.00007FF8A8394000.00000002.00000001.01000000.00000016.sdmp, Creal.exe, 00000008.00000002.3278284280.00007FF8A7B14000.00000002.00000001.01000000.0000003E.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: Creal.exe, 00000002.00000002.3278024317.00007FF8A882A000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: Creal.exe, 00000000.00000003.2013034623.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2210469463.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Creal.exe, 00000000.00000003.2012043835.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3288413452.00007FF8B9845000.00000002.00000001.01000000.0000000C.sdmp, Creal.exe, 00000007.00000003.2208832150.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3287591621.00007FF8B9175000.00000002.00000001.01000000.00000034.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: Creal.exe, 00000002.00000002.3286869454.00007FF8B8AF3000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: Creal.exe, 00000002.00000002.3287970612.00007FF8B8F83000.00000002.00000001.01000000.00000007.sdmp, Creal.exe, 00000008.00000002.3288648125.00007FF8BFB73000.00000002.00000001.01000000.0000002F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Creal.exe, 00000000.00000003.2012825671.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3287550512.00007FF8B8C16000.00000002.00000001.01000000.0000000F.sdmp, Creal.exe, 00000007.00000003.2210152197.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3286949600.00007FF8B9116000.00000002.00000001.01000000.00000037.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: Creal.exe, 00000000.00000003.2012922537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3287313269.00007FF8B8B3B000.00000002.00000001.01000000.0000000A.sdmp, Creal.exe, 00000007.00000003.2210291653.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: Creal.exe, 00000000.00000003.2012139537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2208996602.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: Creal.exe, 00000000.00000003.2013623021.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3286647711.00007FF8B8833000.00000002.00000001.01000000.00000017.sdmp, Creal.exe, 00000008.00000002.3286329041.00007FF8B90D3000.00000002.00000001.01000000.0000003F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: Creal.exe, 00000002.00000002.3286119813.00007FF8B7E52000.00000002.00000001.01000000.0000000D.sdmp, Creal.exe, 00000008.00000002.3287382761.00007FF8B9152000.00000002.00000001.01000000.00000035.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Creal.exe, 00000000.00000003.2013183257.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3287755549.00007FF8B8CB3000.00000002.00000001.01000000.0000000E.sdmp, Creal.exe, 00000007.00000003.2210730627.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Creal.exe, 00000000.00000003.2012922537.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3287313269.00007FF8B8B3B000.00000002.00000001.01000000.0000000A.sdmp, Creal.exe, 00000007.00000003.2210291653.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Creal.exe, 00000000.00000003.2012254745.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3288184798.00007FF8B93CD000.00000002.00000001.01000000.00000009.sdmp, Creal.exe, 00000007.00000003.2209177620.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: Creal.exe, 00000000.00000003.2013698188.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3288809045.00007FF8BA4F4000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Creal.exe, 00000000.00000003.2013254429.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3287078699.00007FF8B8B09000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: Creal.exe, 00000002.00000002.3284976163.00007FF8B7DEF000.00000002.00000001.01000000.00000015.sdmp, Creal.exe, 00000008.00000002.3284231215.00007FF8B82EF000.00000002.00000001.01000000.0000003D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: Creal.exe, 00000002.00000002.3271977344.000002710B860000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: Creal.exe, 00000002.00000002.3278699143.00007FF8A8CF8000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Creal.exe, 00000000.00000003.2012043835.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3288413452.00007FF8B9845000.00000002.00000001.01000000.0000000C.sdmp, Creal.exe, 00000007.00000003.2208832150.0000026DDBC39000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3287591621.00007FF8B9175000.00000002.00000001.01000000.00000034.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: Creal.exe, 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: Creal.exe, 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmp, Creal.exe, 00000008.00000002.3285616880.00007FF8B83DE000.00000002.00000001.01000000.0000003B.sdmp

Source: Creal.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Creal.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Creal.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Creal.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Creal.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: VCRUNTIME140.dll.0.dr

Static PE information: 0x78BDDED1 [Sat Mar 11 17:01:05 2034 UTC]

Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libcrypto-3.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.0.dr	Static PE information: section name: .00cfg
Source: python313.dll.0.dr	Static PE information: section name: PyRuntim
Source: VCRUNTIME140.dll.7.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.7.dr	Static PE information: section name: _RDATA
Source: libcrypto-3.dll.7.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.7.dr	Static PE information: section name: .00cfg
Source: python313.dll.7.dr	Static PE information: section name: PyRuntim

Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82A267D push rbx; retf	2_2_00007FF8A82A2685
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A82A27AE push rsp; iretd	2_2_00007FF8A82A27B9
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92F4331 push rcx; ret	2_2_00007FF8A92F4332
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A227AE push rsp; iretd	8_2_00007FF8A7A227B9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7A2267D push rbx; retf	8_2_00007FF8A7A22685

Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\_cffi_backend.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\python313.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\_cffi_backend.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\unicodedata.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt			Jump to behavior

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\Creal.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Creal.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe

Jump to behavior

Source: C:\Users\user\Desktop\Creal.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe

Jump to behavior

Source: C:\Users\user\Desktop\Creal.exe

Code function: 0_2_00007FF77A805830 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF77A805830

Source: C:\Users\user\Desktop\Creal.exe

Code function: 2_2_00007FF8A9318816 sgdt fword ptr [rax]

2_2_00007FF8A9318816

Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\_cffi_backend.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\_cffi_backend.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64882\unicodedata.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\Creal.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_0-18135

Source: C:\Users\user\Desktop\Creal.exe	API coverage: 1.3 %
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	API coverage: 1.8 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A809280 FindFirstFileExW,FindClose,	0_2_00007FF77A809280
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A8083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF77A8083C0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A821874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF77A821874
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A809280 FindFirstFileExW,FindClose,	2_2_00007FF77A809280
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A8083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	2_2_00007FF77A8083C0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A821874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF77A821874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11C9280 FindFirstFileExW,FindClose,	7_2_00007FF6A11C9280
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11C83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_00007FF6A11C83C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11E1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	7_2_00007FF6A11E1874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11C9280 FindFirstFileExW,FindClose,	8_2_00007FF6A11C9280
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11C83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00007FF6A11C83C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11E1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_00007FF6A11E1874

Source: C:\Users\user\Desktop\Creal.exe

Code function: 2_2_00007FF8A8271230 GetSystemInfo,

2_2_00007FF8A8271230

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior

Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fiCHjwGwuvMcigPV
Source: Creal.exe, 00000000.00000003.2014522897.00000254DA852000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: iCHjwGwuvMcigPV
Source: Creal.exe, 00000008.00000003.2253525634.0000019819A35000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819A30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2240741453.0000019819A36000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253265305.0000019819A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWend
Source: Creal.exe, 00000002.00000002.3273070510.000002710D81F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW %SystemRoot%\system32\mswsock.dll"[
Source: Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: iCHjwGwuvMcigPVs
Source: Creal.exe, 00000002.00000002.3273424541.000002710DAD0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274182061.0000019819D90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ro.kernel.qemu
Source: Creal.exe, 00000008.00000003.2235298280.00000198195E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ro.kernel.qemur
Source: Creal.exe, 00000002.00000002.3273424541.000002710DAD0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274182061.0000019819D90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: dro.kernel.qemu
Source: curl.exe, 00000005.00000002.2047927659.000001BAD5628000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000005.00000003.2047685730.000001BAD5625000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Creal.exe

Code function: 0_2_00007FF77A80D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF77A80D12C

Source: C:\Users\user\Desktop\Creal.exe

Code function: 0_2_00007FF77A823480 GetProcessHeap,

0_2_00007FF77A823480

Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A80D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF77A80D12C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A80D30C SetUnhandledExceptionFilter,	0_2_00007FF77A80D30C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A80C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF77A80C8A0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 0_2_00007FF77A81A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF77A81A614
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A80D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF77A80D12C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A80D30C SetUnhandledExceptionFilter,	2_2_00007FF77A80D30C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A80C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF77A80C8A0
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF77A81A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF77A81A614
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A81B3248 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8A81B3248
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A81B2C90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8A81B2C90
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A8392920 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8A8392920
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8A92D212B IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8A92D212B
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8B7E0339C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8B7E0339C
Source: C:\Users\user\Desktop\Creal.exe	Code function: 2_2_00007FF8B7E02970 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8B7E02970
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11CD30C SetUnhandledExceptionFilter,	7_2_00007FF6A11CD30C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11DA614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF6A11DA614
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11CC8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00007FF6A11CC8A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 7_2_00007FF6A11CD12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF6A11CD12C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11CD30C SetUnhandledExceptionFilter,	8_2_00007FF6A11CD30C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11DA614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF6A11DA614
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11CC8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF6A11CC8A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF6A11CD12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF6A11CD12C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7042C90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF8A7042C90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7043248 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF8A7043248
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8A7B12920 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF8A7B12920
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B2331960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF8B2331960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B2331390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF8B2331390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B27B1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF8B27B1390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B27B1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF8B27B1960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B27C1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF8B27C1390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B27C1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF8B27C1960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B27D1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF8B27D1390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B27D1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF8B27D1960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8B4751390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF8B4751390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Code function: 8_2_00007FF8BFB66EC4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF8BFB66EC4

Source: C:\Users\user\Desktop\Creal.exe	Process created: C:\Users\user\Desktop\Creal.exe "C:\Users\user\Desktop\Creal.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl ifconfig.me"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl ifconfig.me	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl ifconfig.me"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl ifconfig.me	Jump to behavior

Source: C:\Users\user\Desktop\Creal.exe

Code function: 0_2_00007FF77A829570 cpuid

0_2_00007FF77A829570

Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography-43.0.3.dist-info\license_files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography-43.0.3.dist-info\license_files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\_wmi.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\jaraco VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\jaraco\text\Lorem ipsum.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\jaraco\text\Lorem ipsum.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\_uuid.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\Desktop\Creal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\cryptography-43.0.3.dist-info\license_files VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\cryptography-43.0.3.dist-info\license_files VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Creal.exe

Code function: 0_2_00007FF77A80D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF77A80D010

Source: C:\Users\user\Desktop\Creal.exe

Code function: 0_2_00007FF77A825C00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF77A825C00

Stealing of Sensitive Information

Yara detected Creal Stealer

Source: Yara match	File source: 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2240741453.0000019819C93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3274781930.000001981A390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Creal.exe PID: 6572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Creal.exe PID: 6504, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Creal.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior

Tries to steal communication platform credentials (via file / registry access)

Source: C:\Users\user\Desktop\Creal.exe	File opened: C:\Users\user\AppData\Local\Discord	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	File opened: C:\Users\user\AppData\Local\DiscordCanary	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	File opened: C:\Users\user\AppData\Local\DiscordPTB	Jump to behavior
Source: C:\Users\user\Desktop\Creal.exe	File opened: C:\Users\user\AppData\Local\DiscordDevelopment	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File opened: C:\Users\user\AppData\Local\Discord	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File opened: C:\Users\user\AppData\Local\DiscordCanary	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File opened: C:\Users\user\AppData\Local\DiscordPTB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	File opened: C:\Users\user\AppData\Local\DiscordDevelopment	Jump to behavior

Remote Access Functionality

Yara detected Creal Stealer

Source: Yara match	File source: 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2240741453.0000019819C93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3274781930.000001981A390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Creal.exe PID: 6572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Creal.exe PID: 6504, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	12 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Email Collection	22 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Creal.exe	16%	ReversingLabs	Win64.Trojan.ReverseShell
Creal.exe	100%	Avira	OSX/GM.ReverseShe.TH

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_curve25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_curve448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_ed25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_ed448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\_cffi_backend.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\_multiprocessing.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\_overlapped.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\_uuid.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\_wmi.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography\hazmat\bindings\_rust.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\pyexpat.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\python3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\python313.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI39642\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
https://coinbase.com)z	0%	Avira URL Cloud	safe
https://ebay.com)z$	0%	Avira URL Cloud	safe
https://roblox.com)z	0%	Avira URL Cloud	safe
https://twitch.com)z	0%	Avira URL Cloud	safe
https://www-cs-faculty.stan	0%	Avira URL Cloud	safe
https://discord.com)z	0%	Avira URL Cloud	safe
https://gmail.com)z	0%	Avira URL Cloud	safe
https://hbo.com)z	0%	Avira URL Cloud	safe
http://repository.swisssign.com/r	0%	Avira URL Cloud	safe
https://paypal.com)z	0%	Avira URL Cloud	safe
https://telegram.com)z	0%	Avira URL Cloud	safe
https://pornhub.com)z	0%	Avira URL Cloud	safe
https://epicgames.com)z	0%	Avira URL Cloud	safe
https://binance.com)z	0%	Avira URL Cloud	safe
https://yahoo.com)z	0%	Avira URL Cloud	safe
http://cacerts.digiY	0%	Avira URL Cloud	safe
https://youtube.com)z	0%	Avira URL Cloud	safe
https://spotify.com)z	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.ipify.org	104.26.13.205	true	false	high
geolocation-db.com	159.89.102.253	true	false	high
ifconfig.me	34.160.111.145	true	false	high
api.gofile.io	45.112.123.126	true	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://discord.com/api/webhooks/1304534397680357396/jwWT3Q8Ovv9Vvgd-RNJrwcYvcpgO5pbMYyd8C4eotXdFUJq	Creal.exe, 00000002.00000002.3274825814.000002710E410000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274690309.000001981A290000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/astral-sh/ruff	Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages	Creal.exe, 00000002.00000002.3273337784.000002710D9D0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273339355.0000019819890000.00000004.00001000.00020000.00000000.sdmp	false		high
https://cloud.google.com/appengine/docs/standard/runtimes	Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/actions/workflows/main.yml/badge.svg	Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	false		high
https://coinbase.com)	Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	false		high
https://discord.com)z	Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://geolocation-db.com/jsonp/NoneP	Creal.exe, 00000008.00000002.3275912878.000001981AF50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/issues	Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tiktok.com)	Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ebay.com)z$	Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com)	Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	Creal.exe, 00000002.00000002.3272852196.000002710D390000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034680927.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035696816.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035087329.000002710D3C0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035299664.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035891536.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034389160.000002710D3C0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036517173.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034159771.000002710D3C3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036158256.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2224452905.000001981928F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2229673788.0000019819286000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3272835079.0000019819250000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file	Creal.exe, 00000002.00000002.3273070510.000002710D6D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253525634.0000019819A35000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819A30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2240741453.0000019819A36000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253265305.0000019819A30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://importlib-metadata.readthedocs.io/	Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/LICENSE-2.0	Creal.exe, 00000000.00000003.2015424905.00000254DA860000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000000.00000003.2015491460.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212873713.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212944606.0000026DDBC41000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/core-metadata/	Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	Creal.exe, 00000002.00000003.2037448182.000002710D740000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273070510.000002710D6D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2235298280.00000198195E9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2237383252.0000019819652000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2239361588.0000019819661000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2236116679.0000019819612000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2241391582.0000019819661000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273072089.0000019819590000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2236912931.0000019819612000.00000004.00000020.00020000.00000000.sdmp	false		high
https://paypal.com)	Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/pypa/packaging	Creal.exe, 00000008.00000002.3274301567.0000019819E90000.00000004.00001000.00020000.00000000.sdmp	false		high
https://readthedocs.org/projects/importlib-metadata/badge/?version=latest	Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	false		high
https://refspecs.linuxfoundation.org/elf/gabi4	Creal.exe, 00000002.00000002.3274456628.000002710DFD0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274301567.0000019819E90000.00000004.00001000.00020000.00000000.sdmp	false		high
https://xbox.com)	Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://youtube.com)	Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	false		high
https://blog.jaraco.com/skeleton	Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	false		high
https://twitch.com)z	Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tools.ietf.org/html/rfc3610	Creal.exe, 00000002.00000002.3275182087.000002710E769000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274878907.000001981A59F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/platformdirs/platformdirs	Creal.exe, 00000002.00000002.3274637231.000002710E1E0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	Creal.exe, 00000002.00000002.3274326927.000002710DF8E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3275024704.000002710E6FA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274131424.0000019819D3B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curl.haxx.se/rfc/cookie_spec.html	Creal.exe, 00000002.00000002.3275493075.000002710EE40000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3275460819.000001981AC90000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819C93000.00000004.00000020.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr;	Creal.exe, 00000002.00000003.2036893555.000002710D808000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036893555.000002710D847000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036991859.000002710D847000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2234942777.0000019819774000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2233919145.000001981974B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2234333726.000001981975B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	Creal.exe, 00000002.00000002.3272386577.000002710D130000.00000004.00001000.00020000.00000000.sdmp	false		high
https://crunchyroll.com)	Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	false		high
https://gmail.com)z	Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://httpbin.org/	Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3274326927.000002710DED9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253525634.0000019819A35000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2252503496.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819A30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253852884.0000019819CC7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253265305.0000019819A30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://paypal.com)z	Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pypi.org/project/build/).	Creal.exe, 00000008.00000002.3274596226.000001981A190000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274690309.000001981A290000.00000004.00001000.00020000.00000000.sdmp	false		high
https://coinbase.com)z	Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwww.certigna.fr/autorites/0m	Creal.exe, 00000002.00000002.3274326927.000002710DF8E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	Creal.exe, 00000002.00000002.3272852196.000002710D390000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034680927.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035696816.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035087329.000002710D3C0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035299664.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035891536.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034389160.000002710D3C0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036517173.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034159771.000002710D3C3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036158256.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2230841946.0000019819274000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2224452905.000001981928F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2229673788.0000019819286000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3272835079.0000019819250000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	Creal.exe, 00000002.00000003.2037448182.000002710D740000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2037811984.000002710D858000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273070510.000002710D6D0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2037764848.000002710D825000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2037995997.000002710D85F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2037390047.000002710D851000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2238497400.00000198196FC000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2239361588.000001981966C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2237823168.00000198196FC000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2235298280.00000198196FC000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2241391582.0000019819661000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273072089.0000019819590000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2236385058.00000198196FC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ebay.com)	Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/	Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3274326927.000002710DED9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253525634.0000019819A35000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2252503496.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819A30000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253852884.0000019819CC7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253265305.0000019819A30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/	Creal.exe, 00000000.00000003.2015491460.00000254DA852000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212873713.0000026DDBC33000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www-cs-faculty.stan	Creal.exe, 00000002.00000003.2038752381.000002710DCBB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main	Creal.exe, 00000000.00000003.2014869136.00000254DA855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/p	Creal.exe, 00000008.00000002.3272835079.0000019819250000.00000004.00000020.00020000.00000000.sdmp	false		high
https://roblox.com)z	Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	Creal.exe, 00000002.00000002.3272386577.000002710D130000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/r	Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	Creal.exe, 00000002.00000002.3272386577.000002710D130000.00000004.00001000.00020000.00000000.sdmp	false		high
https://hbo.com)z	Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://binance.com)z	Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://playstation.com)	Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	false		high
https://img.shields.io/badge/skeleton-2024-informational	Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/pyproject-toml/#declaring-project-metadata-the	Creal.exe, 00000002.00000002.3273533573.000002710DD19000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2253525634.0000019819AD7000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819AD7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3274326927.000002710DED9000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2252503496.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819CB3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274131424.0000019819D3B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/installation/	Creal.exe, 00000000.00000003.2014869136.00000254DA855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sellix.io)	Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/issues/417#issuecomment-392298401	Creal.exe, 00000002.00000002.3274731445.000002710E310000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274596226.000001981A190000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274131424.0000019819D3B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	Creal.exe, 00000002.00000002.3274326927.000002710DF8E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	Creal.exe, 00000002.00000002.3274825814.000002710E410000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274690309.000001981A290000.00000004.00001000.00020000.00000000.sdmp	false		high
https://telegram.com)z	Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cert.fnmt.es/dpcs/	Creal.exe, 00000002.00000002.3273533573.000002710DC00000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3275024704.000002710E6FA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274878907.000001981A59F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819990000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/pypi/v/importlib_metadata.svg	Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/jaraco/jaraco.functools/issues/5	Creal.exe, 00000002.00000002.3274546348.000002710E0D0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2038521530.000002710D82A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274402392.0000019819F90000.00000004.00001000.00020000.00000000.sdmp	false		high
https://pornhub.com)z	Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.accv.es00	Creal.exe, 00000002.00000002.3273533573.000002710DC00000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273533573.000002710DE65000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274131424.0000019819D3B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rfc-editor.org/info/rfc7253	Creal.exe, 00000002.00000002.3275182087.000002710E769000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues	Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2252503496.0000019819BFE000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819BFE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mahler:8092/site-updates.py	Creal.exe, 00000002.00000003.2038726837.000002710DCFF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2038752381.000002710DCBB000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3273533573.000002710DC9A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819990000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000003.2239166710.0000019819AD9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.gofile.io/getServerr	Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc7231#section-4.3.6)	Creal.exe, 00000002.00000002.3273533573.000002710DC9A000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273072089.0000019819590000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/	Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#https-proxy-error-http-proxy	Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.firmaprofesional.com/cps0	Creal.exe, 00000002.00000002.3273533573.000002710DD89000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000002.3275024704.000002710E6FA000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274878907.000001981A59F000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819990000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	Creal.exe, 00000002.00000002.3272386577.000002710D130000.00000004.00001000.00020000.00000000.sdmp	false		high
https://netflix.com)	Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	false		high
https://gmail.com)	Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl0	Creal.exe, 00000002.00000002.3273533573.000002710DD19000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	Creal.exe, 00000002.00000002.3272852196.000002710D390000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034680927.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035696816.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035087329.000002710D3C0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035299664.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2035891536.000002710D3C2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034389160.000002710D3C0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036517173.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2034159771.000002710D3C3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000002.00000003.2036158256.000002710D3BD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3272835079.0000019819250000.00000004.00000020.00020000.00000000.sdmp	false		high
https://outlook.com)	Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/actions?query=workflow%3A%22tests%22	Creal.exe, 00000007.00000003.2221248662.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	false		high
https://w3c.github.io/html/sec-forms.html#multipart-form-data	Creal.exe, 00000002.00000002.3273533573.000002710DD19000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	Creal.exe, 00000002.00000002.3274326927.000002710DF8E000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3273426350.0000019819B53000.00000004.00000020.00020000.00000000.sdmp	false		high
https://binance.com)	Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	false		high
https://epicgames.com)z	Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cryptography.io/en/latest/changelog/	Creal.exe, 00000000.00000003.2014869136.00000254DA855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	false		high
https://youtube.com)z	Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://spotify.com)	Creal.exe, 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps5	Creal.exe, 00000002.00000002.3274326927.000002710DF8E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://spotify.com)z	Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mail.python.org/mailman/listinfo/cryptography-dev	Creal.exe, 00000000.00000003.2014869136.00000254DA855000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000007.00000003.2212389003.0000026DDBC36000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/issues/new?template=distutils-deprecation.yml	Creal.exe, 00000008.00000002.3274596226.000001981A190000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cacerts.digiY	Creal.exe, 00000007.00000003.2211228015.0000026DDBC40000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.python.org/library/itertools.html#recipes	Creal.exe, 00000002.00000002.3274456628.000002710DFD0000.00000004.00001000.00020000.00000000.sdmp, Creal.exe, 00000008.00000002.3274301567.0000019819E90000.00000004.00001000.00020000.00000000.sdmp	false		high
https://yahoo.com)z	Creal.exe, 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/users/	Creal.exe, 00000008.00000002.3274690309.000001981A290000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
45.112.123.126	api.gofile.io	Singapore	16509	AMAZON-02US	false
34.160.111.145	ifconfig.me	United States	2686	ATGS-MMD-ASUS	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
159.89.102.253	geolocation-db.com	United States	14061	DIGITALOCEAN-ASNUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1553263
Start date and time:	2024-11-10 17:24:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Creal.exe
Detection:	MAL
Classification:	mal96.troj.adwa.spyw.winEXE@16/193@4/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
VT rate limit hit for: Creal.exe

Simulations

Behavior and APIs

Time	Type	Description
11:25:04	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.112.123.126	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse
	https://gofile.io/d/IAr464	Get hash	malicious	Unknown	Browse
	https://gofile.io/d/IAr464	Get hash	malicious	Phisher	Browse
	https://gofile.io/d/IAr464	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.22561.28030.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse
	SecuriteInfo.com.Win64.Malware-gen.13500.20938.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse
	SecuriteInfo.com.Win64.Malware-gen.4046.15809.exe	Get hash	malicious	Unknown	Browse
	General Agreement.docx.exe	Get hash	malicious	Python Stealer, Babadeda, Exela Stealer, Waltuhium Grabber	Browse
	NdEIhUToOm.exe	Get hash	malicious	Exela Stealer, Python Stealer	Browse
	LgZMfpsDaL.exe	Get hash	malicious	Exela Stealer, Growtopia, Python Stealer	Browse
34.160.111.145	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse	ifconfig.me/
	SecuriteInfo.com.Variant.Fragtor.599953.20231.7803.exe	Get hash	malicious	DarkGate, MailPassView	Browse	myexternalip.com/raw
	mek_n_bat.bat	Get hash	malicious	Unknown	Browse	ifconfig.me/ip
	dtyb0ut8vV	Get hash	malicious	Unknown	Browse	ifconfig.me/
	file.exe	Get hash	malicious	Unknown	Browse	/
	file.exe	Get hash	malicious	Unknown	Browse	/
	L9ck4BoFjc.ps1	Get hash	malicious	Unknown	Browse	ifconfig.me/
	a3d1ef821849f015365076467994986ebf47905ffcc4f16761d222e1155abd10ba229aa11e70694c70523e9cbfd0eba5.dll	Get hash	malicious	Unknown	Browse	ifconfig.me/ip
	a3d1ef821849f015365076467994986ebf47905ffcc4f16761d222e1155abd10ba229aa11e70694c70523e9cbfd0eba5.dll	Get hash	malicious	Unknown	Browse	ifconfig.me/ip
	6XAaqIWeJt.jar	Get hash	malicious	Unknown	Browse	myexternalip.com/raw
104.26.13.205	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.gofile.io	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse	45.112.123.126
	https://gofile.io/d/IAr464	Get hash	malicious	Unknown	Browse	45.112.123.126
	https://gofile.io/d/IAr464	Get hash	malicious	Phisher	Browse	45.112.123.126
	https://gofile.io/d/IAr464	Get hash	malicious	Unknown	Browse	45.112.123.126
	SecuriteInfo.com.FileRepMalware.22561.28030.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	45.112.123.126
	SecuriteInfo.com.Win64.Malware-gen.13500.20938.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	45.112.123.126
	SecuriteInfo.com.Win64.Malware-gen.4046.15809.exe	Get hash	malicious	EICAR	Browse	104.251.123.67
	SecuriteInfo.com.Win64.Malware-gen.4046.15809.exe	Get hash	malicious	Unknown	Browse	45.112.123.126
	General Agreement.docx.exe	Get hash	malicious	Python Stealer, Babadeda, Exela Stealer, Waltuhium Grabber	Browse	45.112.123.126
	NdEIhUToOm.exe	Get hash	malicious	Exela Stealer, Python Stealer	Browse	45.112.123.126
ifconfig.me	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse	34.160.111.145
	mek_n_bat.bat	Get hash	malicious	Unknown	Browse	34.160.111.145
	6Ek4nfs2y1.exe	Get hash	malicious	PhoenixKeylogger, PureLog Stealer	Browse	34.117.118.44
	uJ5c4dQ44E.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	uJ5c4dQ44E.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	SecuriteInfo.com.Trojan.MulDrop26.50476.18658.7474.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	SecuriteInfo.com.Trojan.MulDrop26.50476.18658.7474.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	Jv7Z27rOoW.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	Jv7Z27rOoW.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	file.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
api.ipify.org	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse	104.26.12.205
	ypauPrrA08.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse	104.26.13.205
	Sara.exe.bin.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	Sara.exe.bin.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	6G1YhrEmQu.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	pago de PEDIDO PROFORMA.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://thrifty-wombat-mjszmd.mystrikingly.com/	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://www.canva.com/design/DAGVsvWsNbI/iZzU0BNPZvRGZSXgumDARw/view?utm_content=DAGVsvWsNbI&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.26.12.205
	TtyCIqbov8.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Play-Audio_Vmail_Ach Statement Credi....html	Get hash	malicious	HtmlDropper	Browse	172.67.74.152
geolocation-db.com	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse	159.89.102.253
	https://mlbmajorlossbuilders.hbportal.co/flow/66fdd3a6c031cc001f728831/view?hash=54079a777636a614d8d961b5b9a96a5f	Get hash	malicious	Unknown	Browse	159.89.102.253
	https://www.newtoin.com/	Get hash	malicious	Unknown	Browse	159.89.102.253
	https://hayanami-4df5b.web.app/verifyDelivery	Get hash	malicious	Unknown	Browse	159.89.102.253
	https://hayanami-4df5b.firebaseapp.com/verifyDelivery	Get hash	malicious	Unknown	Browse	159.89.102.253
	HyZh4pn0RF.exe	Get hash	malicious	Creal Stealer	Browse	159.89.102.253
	FW PO 20240729TTPI 20240729TT.eml	Get hash	malicious	HTMLPhisher	Browse	159.89.102.253
	231210-10-Creal-33652f.exe	Get hash	malicious	Creal Stealer	Browse	159.89.102.253
	GE AEROSPACE USA - WIRE REMITTANCE_.xlsx	Get hash	malicious	HTMLPhisher	Browse	159.89.102.253
	AWB#803790 .htm	Get hash	malicious	Unknown	Browse	159.89.102.253

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	17312555432bcbd00414ec1c141b698268dc6112a629b7da7379b907daaee7a87ea4e066bb444.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	Downloads.zip	Get hash	malicious	CobaltStrike	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	XOr3Kqyo9n.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	172.67.213.173
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	188.114.96.3
ATGS-MMD-ASUS	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse	34.160.111.145
	yakuza.m68k.elf	Get hash	malicious	Unknown	Browse	57.244.211.109
	yakuza.arm4.elf	Get hash	malicious	Unknown	Browse	33.8.67.53
	botnet.sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	57.144.190.222
	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	57.159.9.27
	botnet.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	32.250.225.174
	shindemips.elf	Get hash	malicious	Unknown	Browse	57.157.171.77
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	51.205.229.35
	5r3fqt67ew531has4231.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	51.226.145.24
	yakuza.x86.elf	Get hash	malicious	Unknown	Browse	57.140.205.170
AMAZON-02US	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse	45.112.123.126
	la.bot.arm7.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	yakuza.mips.elf	Get hash	malicious	Unknown	Browse	3.135.130.56
	yakuza.m68k.elf	Get hash	malicious	Unknown	Browse	18.138.65.188
	yakuza.arm4.elf	Get hash	malicious	Unknown	Browse	52.199.99.11
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	shindeVi686.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	shindeVx86.elf	Get hash	malicious	Unknown	Browse	54.217.10.153
	shindeVarm.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	botnet.sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	108.157.7.31

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_ARC4.pyd	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse
	https://t.ly/Oppenheim0511	Get hash	malicious	GO Backdoor	Browse
	RobCheat.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	SecuriteInfo.com.Win64.Malware-gen.32485.11504.exe	Get hash	malicious	Python Stealer, Braodo	Browse
	grA6aqodO5.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	oconsole.exe	Get hash	malicious	Unknown	Browse
	oconsole.exe	Get hash	malicious	Unknown	Browse
	R6IuO0fzec.exe	Get hash	malicious	Python Stealer, CStealer	Browse
C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_Salsa20.pyd	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse
	https://t.ly/Oppenheim0511	Get hash	malicious	GO Backdoor	Browse
	RobCheat.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	SecuriteInfo.com.Trojan.PWS.Stealer.39881.9434.15338.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	SecuriteInfo.com.Win64.Malware-gen.32485.11504.exe	Get hash	malicious	Python Stealer, Braodo	Browse
	grA6aqodO5.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	oconsole.exe	Get hash	malicious	Unknown	Browse
	oconsole.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_ARC4.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.640339306680604
Encrypted:	false
SSDEEP:	192:dLklddyTHThob0q/tJRrlDfNYSOcqgYCWt:ZgcdZq/JJD6gRWt
MD5:	BCD8CAAF9342AB891BB1D8DD45EF0098
SHA1:	EE7760BA0FF2548F25D764F000EFBB1332BE6D3E
SHA-256:	78725D2F55B7400A3FCAFECD35AF7AEB253FBC0FFCDF1903016EB0AABD1B4E50
SHA-512:	8B6FB53AECB514769985EBFDAB1B3C739024597D9C35905E04971D5422256546F7F169BF98F9BAF7D9F42A61CFF3EE7A20664989D3000773BF5EDA10CB3A0C24
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: RobCheat.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Malware-gen.32485.11504.exe, Detection: malicious, Browse Filename: grA6aqodO5.exe, Detection: malicious, Browse Filename: oconsole.exe, Detection: malicious, Browse Filename: oconsole.exe, Detection: malicious, Browse Filename: R6IuO0fzec.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...Y..f.........." ................P........................................p............`..........................................'......0(..d....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata..Z.... ......................@..@.data...H....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..(....`.......*..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_Salsa20.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.0194545642425075
Encrypted:	false
SSDEEP:	192:4t/1nCuqaL0kt7AznuRmceS4lDFhAlcqgcLg:F/k1ACln4lDogcLg
MD5:	F19CB847E567A31FAB97435536C7B783
SHA1:	4C8BFE404AF28C1781740E7767619A5E2D2FF2B7
SHA-256:	1ECE1DC94471D6977DBE2CEEBA3764ADF0625E2203D6257F7C781C619D2A3DAD
SHA-512:	382DC205F703FC3E1F072F17F58E321E1A65B86BE7D9D6B07F24A02A156308A7FEC9B1A621BA1F3428FD6BB413D14AE9ECB2A2C8DD62A7659776CFFDEBB6374C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: RobCheat.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PWS.Stealer.39881.9434.15338.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Malware-gen.32485.11504.exe, Detection: malicious, Browse Filename: grA6aqodO5.exe, Detection: malicious, Browse Filename: oconsole.exe, Detection: malicious, Browse Filename: oconsole.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...Z..f.........." ................P.....................................................`..........................................8......H9..d....`.......P..L............p..(....1...............................1..8............0...............................text...h........................... ..`.rdata..r....0......................@..@.data...H....@.......,..............@....pdata..L....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_chacha20.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.037456384995606
Encrypted:	false
SSDEEP:	192:st/1nCuqaL0ktPMn1ENe3erKr5br0YbsiDw6a9lkOcqgRGd:p/kpMIodrXbsiDS95gRGd
MD5:	DC14677EA8A8C933CC41F9CCF2BEDDC1
SHA1:	A6FB87E8F3540743097A467ABE0723247FDAF469
SHA-256:	68F081E96AE08617CF111B21EDED35C1774A5EF1223DF9A161C9445A78F25C73
SHA-512:	3ABA4CFCBBE4B350AB3230D488BD75186427E3AAAF38D19E0E1C7330F16795AD77FB6E26FF39AF29EAF4F5E8C42118CB680F90AFBFCA218AEDA64DC444675BA2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...Z..f.........." ................P.....................................................`......................................... 8.......8..d....`.......P..d............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..d....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..(....p.......2..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_pkcs1_decode.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.09191874780435
Encrypted:	false
SSDEEP:	192:rMVsiXeqVb0lIb0Pj5Jdfpm68WZDInU282tacqgYLg:rM7ali0Pj5JxCaDuUlgYLg
MD5:	C09BB8A30F0F733C81C5C5A3DAD8D76D
SHA1:	46FD3BA87A32D12F4EE14601D1AD73B78EDC81D1
SHA-256:	8A1B751DB47CE7B1D3BD10BEBFFC7442BE4CFB398E96E3B1FF7FB83C88A8953D
SHA-512:	691AC74FAE930E9CEABE782567EFB99C50DD9B8AD607DD7F99A5C7DF2FA2BEB7EDFE2EBB7095A72DA0AE24E688FBABD340EAE8B646D5B8C394FEE8DDD5E60D31
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^:.6?T.6?T.6?T.?G..2?T.dJU.4?T.}GU.5?T.6?U..?T.dJQ.<?T.dJP.>?T.dJW.5?T..J\.7?T..JT.7?T..J..7?T..JV.7?T.Rich6?T.........................PE..d...X..f.........." ................P.....................................................`.........................................`8.......8..d....`.......P..(............p..(....1...............................1..8............0...............................text............................... ..`.rdata..6....0....... ..............@..@.data...x....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_aes.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	6.541423493519083
Encrypted:	false
SSDEEP:	384:f/UlZA5PUEllvxL/7v/iKBt5ByU0xGitqzSEkxGG7+tpKHb/LZ7fr52EkifcMxme:klcR7JriEbwDaS4j990th9VDBV
MD5:	0AB25F99CDAACA6B11F2ECBE8223CAD5
SHA1:	7A881B3F84EF39D97A31283DE6D7B7AE85C8BAE6
SHA-256:	6CE8A60D1AB5ADC186E23E3DE864D7ADF6BDD37E3B0C591FA910763C5C26AF60
SHA-512:	11E89EEF34398DF3B144A0303E08B3A4CAF41A9A8CA618C18135F561731F285F8CF821D81179C2C45F6EEB0E496D9DD3ECF6FF202A3C453C80AFEF8582D06C17
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...V..f.........." .....H...H......P.....................................................`.........................................p...........d...............................0......................................8............`...............................text...xG.......H.................. ..`.rdata.."6...`...8...L..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_aesni.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.367749645917753
Encrypted:	false
SSDEEP:	192:YiJBj5fq/Rk0kPLhOZ3UucCWuSKPEkA2bD9JXx03cqg5YUMLgs:/k1kTMZEjCWNaA2DTx0g5YUMLg
MD5:	B6EA675C3A35CD6400A7ECF2FB9530D1
SHA1:	0E41751AA48108D7924B0A70A86031DDE799D7D6
SHA-256:	76EF4C1759B5553550AB652B84F8E158BA8F34F29FD090393815F06A1C1DC59D
SHA-512:	E31FD33E1ED6D4DA3957320250282CFD9EB3A64F12DE4BD2DFE3410F66725164D96B27CAA34C501D1A535A5A2442D5F070650FD3014B4B92624EE00F1C3F3197
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.z.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...V..f.........." ......... ......P.....................................................`..........................................9......$:..d....`.......P...............p..(....1...............................1..8............0.. ............................text............................... ..`.rdata.......0......."..............@..@.data...8....@.......2..............@....pdata.......P.......4..............@..@.rsrc........`.......8..............@..@.reloc..(....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_arc2.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.41148259289073
Encrypted:	false
SSDEEP:	192:w3d9FkHaz0EJvrj+CYuz7ucc9dG7otDr22KcqgOiewZjW:YkHEJzj+X6769lDzagO/w
MD5:	F14E1AA2590D621BE8C10321B2C43132
SHA1:	FD84D11619DFFDF82C563E45B48F82099D9E3130
SHA-256:	FCE70B3DAFB39C6A4DB85D2D662CB9EB9C4861AA648AD7436E7F65663345D177
SHA-512:	A86B9DF163007277D26F2F732ECAB9DBCA8E860F8B5809784F46702D4CEA198824FDEF6AB98BA7DDC281E8791C10EABA002ABDA6F975323B36D5967E0443C1E4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." ....."... ......P.....................................................`.........................................pI.......J..d....p.......`..................(....B...............................B..8............@...............................text...( .......".................. ..`.rdata..<....@.......&..............@..@.data...H....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..(............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_blowfish.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20992
Entropy (8bit):	6.041302713678401
Encrypted:	false
SSDEEP:	384:kUX0JfbRz5MLZA0nmwzMDYpJgLa0Mp8NDBcxgprAM:6NbRzWXwDqgLa1uBfP
MD5:	B127CAE435AEB8A2A37D2A1BC1C27282
SHA1:	2A7BF8BF7F24B2381370BA6B41FB640EE42BDCCD
SHA-256:	538B1253B5929254ED92129FA0957DB26CDDF34A8372BA0BF19D20D01549ADA3
SHA-512:	4FE027E46D5132CA63973C67BD5394F2AC74DD4BBCFE93CB16136FAB4B6BF67BECB5A0D4CA359FF9426DA63CA81F793BBF1B79C8A9D8372C53DCB5796D17367E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." .....$...0......P.....................................................`.........................................0Y.......Y..d............p..................0....Q...............................R..8............@...............................text....".......$.................. ..`.rdata.......@... ...(..............@..@.data...H....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..0............P..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_cast.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	6.530656045206549
Encrypted:	false
SSDEEP:	384:cEDwUBi9SPu71omZXmrfXA+UA10ol31tuXVYdAgYj:FsUBXmoEXmrXA+NNxWFYfo
MD5:	2E15AA6F97ED618A3236CFA920988142
SHA1:	A9D556D54519D3E91FA19A936ED291A33C0D1141
SHA-256:	516C5EA47A7B9A166F2226ECBA79075F1A35EFFF14D87E00006B34496173BB78
SHA-512:	A6C75C4A285753CC94E45500E8DD6B6C7574FB7F610FF65667F1BEC8D8B413FC10514B7D62F196C2B8D017C308C5E19E2AEF918021FA81D0CB3D8CED37D8549A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...W..f.........." .....$...>............................................................`..........................................h.......i..d...............................0....a...............................a..8............@...............................text....#.......$.................. ..`.rdata..:-...@.......(..............@..@.data...H....p.......V..............@....pdata...............X..............@..@.rsrc................\..............@..@.reloc..0............^..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_cbc.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.7080156150187396
Encrypted:	false
SSDEEP:	192:lF/1n7Guqaj0ktfEJwX1fYwCODR3lncqg0Gd6l:RGXkJEm1feODxDg0Gd6
MD5:	40390F2113DC2A9D6CFAE7127F6BA329
SHA1:	9C886C33A20B3F76B37AA9B10A6954F3C8981772
SHA-256:	6BA9C910F755885E4D356C798A4DD32D2803EA4CFABB3D56165B3017D0491AE2
SHA-512:	617B963816838D649C212C5021D7D0C58839A85D4D33BBAF72C0EC6ECD98B609080E9E57AF06FA558FF302660619BE57CC974282826AB9F21AE0D80FBAA831A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...X..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..(....p......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_cfb.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	5.159963979391524
Encrypted:	false
SSDEEP:	192:kblRgfeqfz0RP767fB4A84DgVD6eDcqgzbkLgmf:BwRj67p84Dg6eVgzbkLgmf
MD5:	899895C0ED6830C4C9A3328CC7DF95B6
SHA1:	C02F14EBDA8B631195068266BA20E03210ABEABC
SHA-256:	18D568C7BE3E04F4E6026D12B09B1FA3FAE50FF29AC3DEAF861F3C181653E691
SHA-512:	0B4C50E40AF92BC9589668E13DF417244274F46F5A66E1FC7D1D59BC281969BA319305BECEA119385F01CC4603439E4B37AFA2CF90645425210848A02839E3E7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^..6?..6?..6?..?G..2?..dJ..4?..}G..5?..6?...?..dJ..<?..dJ..>?..dJ..5?...J..7?...J..7?...Jk.7?...J..7?..Rich6?..................PE..d...Y..f.........." ................P.....................................................`..........................................8......x9..d....`.......P..d............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......(..............@....pdata..d....P.......*..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_ctr.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.270418334522813
Encrypted:	false
SSDEEP:	192:vktJ1gifqQGRk0IP73AdXdmEEEEEm9uhiFEQayDZVMcqgnF6+6Lg:vkdU1ID3AdXd49urQPDggnUjLg
MD5:	C4C525B081F8A0927091178F5F2EE103
SHA1:	A1F17B5EA430ADE174D02ECC0B3CB79DBF619900
SHA-256:	4D86A90B2E20CDE099D6122C49A72BAE081F60EB2EEA0F76E740BE6C41DA6749
SHA-512:	7C06E3E6261427BC6E654B2B53518C7EAA5F860A47AE8E80DC3F8F0FED91E122CB2D4632188DC44123FB759749B5425F426CD1153A8F84485EF0491002B26555
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^z.6?..6?..6?..?G..2?..dJ..4?..}G..5?..6?...?..dJ..<?..dJ..>?..dJ..5?...J..7?...J..7?...J..7?...J..7?..Rich6?..........................PE..d...Y..f.........." ......... ......P.....................................................`.........................................`9.......:..d....`.......P...............p..(....1...............................1..8............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..(....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_des.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	56832
Entropy (8bit):	4.231032526864278
Encrypted:	false
SSDEEP:	384:0qcmHBeNL1dO/qHkpnYcZiGKdZHDLY84vnKAnK2rZA21agVF:fEiqHHx4vZDV
MD5:	F9E266F763175B8F6FD4154275F8E2F0
SHA1:	8BE457700D58356BC2FA7390940611709A0E5473
SHA-256:	14D2799BE604CBDC668FDE8834A896EEE69DAE0E0D43B37289FCCBA35CEF29EC
SHA-512:	EB3E37A3C3FF8A65DEF6FA20941C8672A8197A41977E35AE2DC6551B5587B84C2703758320559F2C93C0531AD5C9D0F6C36EC5037669DC5CE78EB3367D89877B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PK..1%..1%..1%..I...1%.D$..1%.I$..1%..1$..1%.D ..1%.D!..1%.D&..1%..D-..1%..D%..1%..D...1%..D'..1%.Rich.1%.........................PE..d...X..f.........." .....6...................................................0............`.................................................\...d...............l............ ..0... ...............................@...8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...H...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_des3.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.252429732285762
Encrypted:	false
SSDEEP:	384:J4cmHBeIzNweVy/CHkRnYcZiGKdZHDLq80vnKAnKBrZGsURygUX:GEO6CHnX0vZb7
MD5:	DECF524B2D53FCD7D4FA726F00B3E5FC
SHA1:	E87C6ED4004F2772B888C5B5758AA75FE99D2F6F
SHA-256:	58F7053EE70467D3384C73F299C0DFD63EEF9744D61D1980D9D2518974CA92D4
SHA-512:	EAFF4FD80843743E61CE635FBADF4E5D9CF2C3E97F3C48350BD9E755F4423AC6867F9FE8746BD5C54E1402B18E8A55AEEF7ACA098C7CF4186DC4C1235EB35DF2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PK..1%..1%..1%..I...1%.D$..1%.I$..1%..1$..1%.D ..1%.D!..1%.D&..1%..D-..1%..D%..1%..D...1%..D'..1%.Rich.1%.........................PE..d...X..f.........." .....8...................................................0............`.....................................................d............................ ..0... ...............................@...8............P...............................text...X7.......8.................. ..`.rdata......P.......<..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_ecb.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.690163963718492
Encrypted:	false
SSDEEP:	192:Yddz2KTnThIz0qfteRY4zp+D3PLui8p1cqgHCWt:k2E9RqfCXp+D3juRpLgiWt
MD5:	80BB1E0E06ACAF03A0B1D4EF30D14BE7
SHA1:	B20CAC0D2F3CD803D98A2E8A25FBF65884B0B619
SHA-256:	5D1C2C60C4E571B88F27D4AE7D22494BED57D5EC91939E5716AFA3EA7F6871F6
SHA-512:	2A13AB6715B818AD62267AB51E55CD54714AEBF21EC9EA61C2AEFD56017DC84A6B360D024F8682A2E105582B9C5FE892ECEBD2BEF8A492279B19FFD84BC83FA5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...X..f.........." ................P........................................p............`.........................................0'.......'..P....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_eksblowfish.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	6.1215844022564285
Encrypted:	false
SSDEEP:	384:nUX0JfbRwUtPMbNv37t6K5jwbDEpJgLa0Mp8xCkgJrAm:jNbRw8EbxwKBwbD+gLa1nh
MD5:	3727271FE04ECB6D5E49E936095E95BC
SHA1:	46182698689A849A8C210A8BF571D5F574C6F5B1
SHA-256:	3AF5B35DCD5A3B6C7E88CEE53F355AAFFF40F2C21DABD4DE27DBB57D1A29B63B
SHA-512:	5BED1F4DF678FE90B8E3F1B7C4F68198463E579209B079CB4A40DCAC01CE26AA2417DBE029B196F6F2C6AFAD560E2D1AF9F089ABE37EAD121CA10EE69D9659ED
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." .....(...0......P.....................................................`.........................................0Y.......Y..d............p..................0....Q...............................R..8............@...............................text...H'.......(.................. ..`.rdata.......@... ...,..............@..@.data...H....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..0............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_ocb.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.293810509074883
Encrypted:	false
SSDEEP:	384:4PHoDUntQjNB+/yw/pogeXOvXoTezczOo3p9iJgDQ3iNgnVbwhA:dUOhBcDRogeXOfoTezcio3pUJgDQ3i+
MD5:	78AEF441C9152A17DD4DC40C7CC9DF69
SHA1:	6BB6F8426AFA6522E647DFC82B1B64FAF3A9781F
SHA-256:	56E4E4B156295F1AAA22ECB5481841DE2A9EB84845A16E12A7C18C7C3B05B707
SHA-512:	27B27E77BE81B29D42359FE28531225383860BCD19A79044090C4EA58D9F98009A254BF63585979C60B3134D47B8233941ABB354A291F23C8641A4961FA33107
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...Y..f.........." .....(... ......P.....................................................`.........................................pI......lJ..d....p.......`..................(....A...............................A..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..(............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_ofb.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	4.862619033406922
Encrypted:	false
SSDEEP:	96:0Ga+F/1NtJ9t4udqaj01rlALnNNJSS2sP+YEdMN+F9FdKaWDULk+VOmWbucX6gR7:PF/1n7Guqaj0ktfEON+bMDUlJcqg0Gd
MD5:	19E0ABF76B274C12FF624A16713F4999
SHA1:	A4B370F556B925F7126BF87F70263D1705C3A0DB
SHA-256:	D9FDA05AE16C5387AB46DC728C6EDCE6A3D0A9E1ABDD7ACB8B32FC2A17BE6F13
SHA-512:	D03033EA5CF37641FBD802EBEB5019CAEF33C9A78E01519FEA88F87E773DCA92C80B74BA80429B530694DAD0BFA3F043A7104234C7C961E18D48019D90277C8E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...Y..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......$..............@....pdata..X....P.......&..............@..@.rsrc........`.......*..............@..@.reloc..(....p.......,..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_BLAKE2b.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.227045547076371
Encrypted:	false
SSDEEP:	192:saF/1n7Guqaj0ktrE8o2o+V2rQnjt1wmg9jtveDn4clG6VcqgOvgdd:swGXkFE8Zo+AojO9jZeDf5rgOvgz
MD5:	309D6F6B0DD022EBD9214F445CAC7BB9
SHA1:	ABD22690B7AD77782CFC0D2393D0C038E16070B0
SHA-256:	4FBE188C20FB578D4B66349D50AA6FFE4AB86844FB6427C57738F36780D1E2E2
SHA-512:	D1951FE92F83E7774E8E877815BED6E6216D56EF18B7F1C369D678CB6E1814243659E9FA7ABC0D22FB5B34A9D50A51D5A89BA00AE1FDD32157FD0FF9902FB4B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..@............p..(....2...............................2..8............0...............................text...x........................... ..`.rdata.......0....... ..............@..@.data...H....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_BLAKE2s.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.176369829782773
Encrypted:	false
SSDEEP:	192:rF/1n7Guqaj0ktrESsrUW+SBjsK5tcQmEreD2mf1AoxkVcqgOvgXQ:rGXkFE/UW575tA2eDp1Ao2rgOvgX
MD5:	D54FEB9A270B212B0CCB1937C660678A
SHA1:	224259E5B684C7AC8D79464E51503D302390C5C9
SHA-256:	032B83F1003A796465255D9B246050A196488BAC1260F628913E536314AFDED4
SHA-512:	29955A6569CA6D039B35BB40C56AEEB75FC765600525D0B469F72C97945970A428951BAB4AF9CD21B3161D5BBA932F853778E2674CA83B14F7ABA009FA53566F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..@............p..(....2...............................2..8............0...............................text...h........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata..@....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_MD2.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.047563322651927
Encrypted:	false
SSDEEP:	384:6alCvH32p3/2pnEhKnLg9yH8puzoFaPERIQAvHD9CIg5kP:5CvHmp3OpnEhmLg9yH8puzoFaPERIQgI
MD5:	52DCD4151A9177CF685BE4DF48EA9606
SHA1:	F444A4A5CBAE9422B408420115F0D3FF973C9705
SHA-256:	D54375DC0652358A6E4E744F1A0EAEEAD87ACCD391A20D6FF324FE14E988A122
SHA-512:	64C54B89F2637759309ECC6655831C3A6755924ED70CBC51614061542EB9BA9A8AECF6951EB3AB92447247DC4D7D846C88F4957DBBE4484A9AB934343EE27178
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...Q..f.........." ......... ......P.....................................................`.........................................@9.......9..d....`.......P..(............p..(....2...............................2..8............0...............................text...X........................... ..`.rdata..@....0......................@..@.data...x....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_MD4.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.09893680790018
Encrypted:	false
SSDEEP:	192:xsiXeqVb0lwbH4P01sAD7I/9hAkwDWzBEbcqgqLg:valqH4M1sAD7KvpwDFtgqLg
MD5:	F929B1A3997427191E07CF52AC883054
SHA1:	C5EA5B68586C2FB09E5FDD20D4DD616D06F5CBA6
SHA-256:	5386908173074FABD95BF269A9DF0A4E1B21C0576923186F449ABF4A820F6A8E
SHA-512:	2C79DBCE2C21214D979AB86DD989D41A3AFA7FCB7F3B79BA9974E2EE8F832DD7CA20C1C87C0C380DB037D776FE6D0851D60AD55A08AFDE0003B7E59214DD2F3B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ................P.....................................................`.........................................08.......8..d....`.......P..(............p..(....1...............................2..8............0...............................text............................... ..`.rdata..0....0......................@..@.data........@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_MD5.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.451865349855574
Encrypted:	false
SSDEEP:	384:KfwogDHER1wuiDSyoGTgDZOviNgEPrLg:ugDHELwuiDScTgDwi+EP
MD5:	1FA5E257A85D16E916E9C22984412871
SHA1:	1AC8EE98AD0A715A1B40AD25D2E8007CDC19871F
SHA-256:	D87A9B7CAD4C451D916B399B19298DC46AAACC085833C0793092641C00334B8E
SHA-512:	E4205355B647C6E28B7E4722328F51DC2EB3A109E9D9B90F7C53D7A80A5A4B10E40ABDDAB1BA151E73EF3EB56941F843535663F42DCE264830E6E17BB659EADF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ..... ..........P.....................................................`..........................................8......`9..d....`.......P..X............p..(....1...............................1..8............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..(....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_RIPEMD160.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.104245335186531
Encrypted:	false
SSDEEP:	192:3F/1n7Guqaj0kt7/Ev9kt0Qwac6QzD8iD0QocqgI4G0S:nGXkd/EvGt9wacNDvAgI4v
MD5:	FAD578A026F280C1AE6F787B1FA30129
SHA1:	9A3E93818A104314E172A304C3D117B6A66BEB55
SHA-256:	74A1FF0801F4704158684267CD8E123F83FB6334FE522C1890AC4A0926F80AB1
SHA-512:	ACF8F5B382F3B4C07386505BBDCAF625D13BCC10AA93ED641833E3548261B0AD1063E2F59BE2FCD2AFAF3D315CB3FC5EB629CEFC168B33CFD65A3A6F1120F7FF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ......... ......P.....................................................`..........................................9.......:..d....`.......P...............p..(...@3..............................`3..8............0...............................text...H........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata.......P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA1.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.671305741258107
Encrypted:	false
SSDEEP:	384:APHoDUntQj0sKhDOJ+0QPSfu6rofDjiZzgE+kbwb:VUOYsKNO466DjoUE+
MD5:	556E6D0E5F8E4DA74C2780481105D543
SHA1:	7A49CDEF738E9FE9CD6CD62B0F74EAD1A1774A33
SHA-256:	247B0885CF83375211861F37B6DD1376AED5131D621EE0137A60FE7910E40F8B
SHA-512:	28FA0CE6BDBCC5E95B80AADC284C12658EF0C2BE63421AF5627776A55050EE0EA0345E30A15B744FC2B2F5B1B1BBB61E4881F27F6E3E863EBAAEED1073F4CDA1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h..9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ...............P.....................................................`..........................................H......hI..d....p.......`..X...............(....A...............................A..8............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........P.......<..............@....pdata..X....`.......>..............@..@.rsrc........p.......B..............@..@.reloc..(............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA224.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.878701941774916
Encrypted:	false
SSDEEP:	384:EJWo4IRCGHX1KXqHGcvYHp5RYcARQOj4MSTjqgPmJD1OhgkxEv:EcIRnHX1P/YtswvaD1Rk
MD5:	2F2655A7BBFE08D43013EDDA27E77904
SHA1:	33D51B6C423E094BE3E34E5621E175329A0C0914
SHA-256:	C734ABBD95EC120CB315C43021C0E1EB1BF2295AF9F1C24587334C3FCE4A5BE1
SHA-512:	8AF99ACC969B0E560022F75A0CDCAA85D0BDEADADEACD59DD0C4500F94A5843EA0D4107789C1A613181B1F4E5252134A485EF6B1D9D83CDB5676C5FEE4D49B90
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...S..f.........." .....6... ......P.....................................................`.........................................@Z......([..d............p..................(....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..x....P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..(............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA256.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.881781476285865
Encrypted:	false
SSDEEP:	384:EJWo4IRCGHXfKXqHGcvYHp5RYcARQOj4MSTjqgPmJD12gkxEv:EcIRnHXfP/YtswvaD1zk
MD5:	CDE035B8AB3D046B1CE37EEE7EE91FA0
SHA1:	4298B62ED67C8D4F731D1B33E68D7DC9A58487FF
SHA-256:	16BEA322D994A553B293A724B57293D57DA62BC7EAF41F287956B306C13FD972
SHA-512:	C44FDEE5A210459CE4557351E56B2D357FD4937F8EC8EACEAB842FEE29761F66C2262FCBAAC837F39C859C67FA0E23D13E0F60B3AE59BE29EB9D8ABAB0A572BB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...S..f.........." .....6... ......P.....................................................`.........................................@Z......([..d............p..................(....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..x....P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..(............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA384.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.837887867708438
Encrypted:	false
SSDEEP:	768:e839Cc4itui0gel9soFdkO66MlPGXmXcyYDTzks:Ns4u/FZ6nPxMLDvk
MD5:	999D431197D7E06A30E0810F1F910B9A
SHA1:	9BFF781221BCFFD8E55485A08627EC2A37363C96
SHA-256:	AB242B9C9FB662C6F7CB57F7648F33983D6FA3BB0683C5D4329EC2CC51E8C875
SHA-512:	A5DD92DD471ADB44EEFE5919EF9CA3978724E21174DF5B3A9C1F0AB462F928E5A46A460D02417DB7522F5DE3BFEED5EEE6B1EAFAF3E621722E85E72675F7096F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...T..f.........." .....H..."......P.....................................................`..........................................k.......l..d...............................(...pd...............................d..8............`...............................text....F.......H.................. ..`.rdata.......`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_SHA512.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.895310340516013
Encrypted:	false
SSDEEP:	768:lcX9Nf4ttui0gel9soFdkO66MlPGXmXc/vDTOvk:a38u/FZ6nPxM3DAk
MD5:	0931ABBF3AED459B1A2138B551B1D3BB
SHA1:	9EC0296DDAF574A89766A2EC035FC30073863AB0
SHA-256:	1729A0DC6B80CB7A3C07372B98B10D3C6C613EA645240878E1FDE6A992FA06F1
SHA-512:	9F970BB4D10B94F525DDDDE307C7DA5E672BBFB3A3866A34B89B56ADA99476724FD690A4396857182749294F67F36DB471A048789FB715D2A7DAF46917FC1947
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...T..f.........." .....H..."......P.....................................................`.........................................@l......(m..d...............................(....d...............................e..8............`...............................text...hG.......H.................. ..`.rdata..x....`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_ghash_clmul.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.967737129255606
Encrypted:	false
SSDEEP:	192:dMpWt/1nCuqaL0kt7TsEx2fiTgDZqGF0T7cqgkLgJ:k/k1Ts64DDJyBgkLg
MD5:	5F057A380BACBA4EF59C0611549C0E02
SHA1:	4B758D18372D71F0AA38075F073722A55B897F71
SHA-256:	BCB14DAC6C87C24269D3E60C46B49EFFB1360F714C353318F5BBAA48C79EC290
SHA-512:	E1C99E224745B86EE55822C1DBCB4555A11EC31B72D87B46514917EB61E0258A1C6D38C4F592969C17EB4F0F74DA04BCECA31CF1622720E95F0F20E9631792E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...V..f.........." ................P.....................................................`.........................................P8.......8..d....`.......P...............p..(....1...............................1..8............0...............................text............................... ..`.rdata..2....0......................@..@.data...H....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_ghash_portable.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.007867576025166
Encrypted:	false
SSDEEP:	192:bMt/1nCuqaL0ktPH0T7fwtF4zDn2rGacqgRGd:1/kpU3Yv4zDXqgRGd
MD5:	49BCA1B7DF076D1A550EE1B7ED3BD997
SHA1:	47609C7102F5B1BCA16C6BAD4AE22CE0B8AEE9E9
SHA-256:	49E15461DCB76690139E71E9359F7FCF92269DCCA78E3BFE9ACB90C6271080B2
SHA-512:	8574D7FA133B72A4A8D1D7D9FDB61053BC88C2D238B7AC7D519BE19972B658C44EA1DE433885E3206927C75DD5D1028F74999E048AB73189585B87630F865466
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...V..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..(....p.......2..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_keccak.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.226023387740053
Encrypted:	false
SSDEEP:	384:rfRKTN+HLjRskTdf4WazSTkwjEvuY2bylHDiYIgovg:mcHfRl5pauoSjy5DiE
MD5:	CB5CFDD4241060E99118DEEC6C931CCC
SHA1:	1E7FED96CF26C9F4730A4621CA9D18CECE3E0BCE
SHA-256:	A8F809B6A417AF99B75EEEEA3ECD16BDA153CBDA4FFAB6E35CE1E8C884D899C4
SHA-512:	8A89E3563C14B81353D251F9F019D8CBF07CB98F78452B8522413C7478A0D77B9ABF2134E4438145D6363CDA39721D2BAE8AD13D1CDACCBB5026619D95F931CF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...U..f.........." ..... ... ......P.....................................................`..........................................9.......9..d....`.......P..X............p..(...p2...............................2..8............0...............................text............ .................. ..`.rdata..@....0.......$..............@..@.data........@.......4..............@....pdata..X....P.......6..............@..@.rsrc........`.......:..............@..@.reloc..(....p.......<..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Hash\_poly1305.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.262055670423592
Encrypted:	false
SSDEEP:	192:C/ZN2eq/b04PAHH41F6fnVS0sVn+5CA5Z1cD66WGcqgFjLg:vI4IHHaQfSVnCZyDImgFjLg
MD5:	18D2D96980802189B23893820714DA90
SHA1:	5DEE494D25EB79038CBC2803163E2EF69E68274C
SHA-256:	C2FD98C677436260ACB9147766258CB99780A007114AED37C87893DF1CF1A717
SHA-512:	0317B65D8F292332C5457A6B15A77548BE5B2705F34BB8F4415046E3E778580ABD17B233E6CC2755C991247E0E65B27B5634465646715657B246483817CACEB7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...V..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..\|............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......."..............@..@.data........@.......0..............@....pdata..\|....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..(....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Math\_modexp.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.913843738203007
Encrypted:	false
SSDEEP:	384:dspbXtHQY4ubrttQza9CHnZXQsnecAlOF0qZLAXxQI3Sya6XPpMg3Yx8MnDcCPSq:7Y44UagH6cAFCLUSYpMg3YDzPo5kG9G
MD5:	EF472BA63FD22922CA704B1E7B95A29E
SHA1:	700B68E7EF95514D5E94D3C6B10884E1E187ACD8
SHA-256:	66EEF4E6E0CEEEF2C23A758BFBEDAE7C16282FC93D0A56ACAFC40E871AC3F01C
SHA-512:	DC2060531C4153C43ABF30843BCB5F8FA082345CA1BB57F9AC8695EDDB28FF9FDA8132B6B6C67260F779D95FCADCAE2811091BCA300AB1E041FAE6CC7B50ABD8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...^..f.........." .....`...0......`.....................................................`..........................................~..\|...L...d...............<...............(....q...............................q..8............p..(............................text...X^.......`.................. ..`.rdata.......p.......d..............@..@.data................x..............@....pdata..<...........................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Protocol\_scrypt.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.735350805948923
Encrypted:	false
SSDEEP:	192:rhsC3eqv6b0q3OQ3rHu5bc64OhD2I/p3cqgONLg:r/Hq3jHuY64OhDJJgONLg
MD5:	3B1CE70B0193B02C437678F13A335932
SHA1:	063BFD5A32441ED883409AAD17285CE405977D1F
SHA-256:	EB2950B6A2185E87C5318B55132DFE5774A5A579259AB50A7935A7FB143EA7B1
SHA-512:	0E02187F17DFCFD323F2F0E62FBFE35F326DCF9F119FC8B15066AFAEEE4EB7078184BC85D571B555E9E67A2DD909EC12D8A67E3D075E9B1283813EF274E05C0D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^:.6?T.6?T.6?T.?G..2?T.dJU.4?T.}GU.5?T.6?U..?T.dJQ.<?T.dJP.>?T.dJW.5?T..J\.7?T..JT.7?T..J..7?T..JV.7?T.Rich6?T.........................PE..d...Z..f.........." ................P.....................................................`..........................................8..d....8..d....`.......P..4............p..(....1...............................1..8............0...............................text...H........................... ..`.rdata..0....0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..(....p......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_curve25519.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	5.705606408072877
Encrypted:	false
SSDEEP:	384:19BcRxBmau38CYIl9bhgIW0mvufueNr359/tjGGDEFSegqrA:NcRy38J+9dmvufFtaGDV
MD5:	FF33C306434DEC51D39C7BF1663E25DA
SHA1:	665FCF47501F1481534597C1EAC2A52886EF0526
SHA-256:	D0E3B6A2D0E073B2D9F0FCDB051727007943A17A4CA966D75EBA37BECDBA6152
SHA-512:	66A909DC9C3B7BD4050AA507CD89B0B3A661C85D33C881522EC9568744953B698722C1CBFF093F9CBCD6119BD527FECAB05A67F2E32EC479BE47AFFA4377362C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...\..f.........." .....6...$......P.....................................................`.........................................`Y......`Z..d............p..................(....R..............................0R..8............P...............................text...(5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......P..............@..@.rsrc................T..............@..@.reloc..(............V..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_curve448.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	6.0189903352673655
Encrypted:	false
SSDEEP:	1536:Jfju4GgRMgWWnEDZiECgd/iwOXUQdbhov0Clb8Cx4hpK8ithLFIDullRPwDHxXOa:pXRMgWiEDZiECgd/iwOXUQdbhov0ClbU
MD5:	F267BF4256F4105DAD0D3E59023011ED
SHA1:	9BC6CA0F375CE49D5787C909D290C07302F58DA6
SHA-256:	1DDE8BE64164FF96B2BAB88291042EB39197D118422BEE56EB2846E7A2D2F010
SHA-512:	A335AF4DBF1658556ED5DC13EE741419446F7DAEC6BD2688B626A803FA5DD76463D6367C224E0B79B17193735E2C74BA417C26822DAEEF05AC3BAB1588E2DE83
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...\..f.........." .........8......`........................................P............`.............................................0.......d....0....... ..$............@..(.......................................8............................................text...8........................... ..`.rdata..............................@..@.data...............................@....pdata..$.... ......................@..@.rsrc........0......................@..@.reloc..(....@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_ec_ws.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	770560
Entropy (8bit):	7.613224993327352
Encrypted:	false
SSDEEP:	12288:XtIrHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h:XtIrHoxJFf1p34hcrn5Go9yQO6
MD5:	1EFD7F7CB1C277416011DE6F09C355AF
SHA1:	C0F97652AC2703C325AB9F20826A6F84C63532F2
SHA-256:	AB45FA80A68DB1635D41DC1A4AAD980E6716DAC8C1778CB5F30CDB013B7DF6E6
SHA-512:	2EC4B88A1957733043BBD63CEAA6F5643D446DB607B3267FAD1EC611E6B0AF697056598AAC2AE5D44AB2B9396811D183C32BCE5A0FF34E583193A417D1C5226B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.. .. .. ... .. ..!.. ..!.. .. .. ..!.. ..!.. ..!.. \..!.. \..!.. \.r .. \..!.. Rich.. ................PE..d...[..f.........." ................`.....................................................`.............................................h.......d...............................0......................................8...............(............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_ed25519.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26112
Entropy (8bit):	5.8551858881598795
Encrypted:	false
SSDEEP:	384:BczadRwoF2MZ81n0XTyMCYIl9bhgIW0mv8aeadRcwRwftjGLD2pRQNgQQ77k:2udRf2MuMJ+9dmv8aea34taLDcfQ
MD5:	C5FB377F736ED731B5578F57BB765F7A
SHA1:	5BA51E11F4DE1CAEDEBA0F7D4D10EC62EC109E01
SHA-256:	32073DF3D5C85ABCE7D370D6E341EF163A8350F6A9EDC775C39A23856CCFDD53
SHA-512:	D361BCDAF2C700D5A4AC956D96E00961432C05A1B692FC870DB53A90F233A6D24AA0C3BE99E40BD8E5B7C6C1B2BCDCDCFC545292EF321486FFC71C5EA7203E6A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...]..f.........." .....B...&......P.....................................................`..........................................i..0....k..d...............................(... b..............................@b..8............`...............................text....A.......B.................. ..`.rdata..P....`.......F..............@..@.data........p.......V..............@....pdata...............^..............@..@.rsrc................b..............@..@.reloc..(............d..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\PublicKey\_ed448.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84992
Entropy (8bit):	6.064677498000638
Encrypted:	false
SSDEEP:	1536:BrYNvxcZeLrIeNs2qkTwe57DsuP45PqAqVDK9agdUiwOXyQdDrov0slb8gx4TBKW:Br4vxcZeLrIeN1TvHsuP45yAqVDK9ag3
MD5:	8A0C0AA820E98E83AC9B665A9FD19EAF
SHA1:	6BF5A14E94D81A55A164339F60927D5BF1BAD5C4
SHA-256:	4EE3D122DCFFE78E6E7E76EE04C38D3DC6A066E522EE9F7AF34A09649A3628B1
SHA-512:	52496AE7439458DEDB58A65DF9FFDCC3A7F31FC36FE7202FB43570F9BB03ABC0565F5EF32E5E6C048ED3EBC33018C19712E58FF43806119B2FB5918612299E7E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...^..f.........." .........8......`.....................................................`..........................................C..h...HE..d....p.......`..l...............(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata..l....`.......>..............@..@.rsrc........p.......H..............@..@.reloc..(............J..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Util\_cpuid_c.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.675380950473425
Encrypted:	false
SSDEEP:	96:frQRpBddzAvzrqTOy/ThIz014mlxuLnkC75JiSBhsPeSztllIDpqf4AZaRcX6gnO:Qddz2KTnThIz0qfteRIDgRWcqgnCWt
MD5:	44B930B89CE905DB4716A548C3DB8DEE
SHA1:	948CBFF12A243C8D17A7ACD3C632EE232DF0F0ED
SHA-256:	921C2D55179C0968535B20E9FD7AF55AD29F4CE4CF87A90FE258C257E2673AA5
SHA-512:	79DF755BE8B01D576557A4CB3F3200E5EE1EDE21809047ABB9FF8D578C535AC1EA0277EDA97109839A7607AF043019F2C297E767441C7E11F81FDC87FD1B6EFC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...X..f.........." ................P........................................p............`.........................................@'..\|....'..P....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Util\_strxor.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.625428549874022
Encrypted:	false
SSDEEP:	96:flipBddzAvzrqTOy/ThIz014mlxuLnkC75JiSBhsPeSzteXuDVZqYNIfcX6gHCWx:Cddz2KTnThIz0qfteR5DVwYkcqgHCWt
MD5:	F24F9356A6BDD29B9EF67509A8BC3A96
SHA1:	A26946E938304B4E993872C6721EB8CC1DCBE43B
SHA-256:	034BB8EFE3068763D32C404C178BD88099192C707A36F5351F7FDB63249C7F81
SHA-512:	C4D3F92D7558BE1A714388C72F5992165DD7A9E1B4FA83B882536030542D93FDAD9148C981F76FFF7868192B301AC9256EDB8C3D5CE5A1A2ACAC183F96C1028B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...Z..f.........." ................P........................................p............`......................................... '..t....'..P....P.......@...............`..(....!...............................!..8............ ...............................text...h........................... ..`.rdata..`.... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120400
Entropy (8bit):	6.6017475353076716
Encrypted:	false
SSDEEP:	1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
MD5:	862F820C3251E4CA6FC0AC00E4092239
SHA1:	EF96D84B253041B090C243594F90938E9A487A9A
SHA-256:	36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
SHA-512:	2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............\|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	6.701724666218339
Encrypted:	false
SSDEEP:	768:ApzzO6ujT3MbR3v0Cz6SR8q83yaFdWr9zRcmgEl6U9zSC:9q/oGw3fFdwzRcmZFzSC
MD5:	68156F41AE9A04D89BB6625A5CD222D4
SHA1:	3BE29D5C53808186EBA3A024BE377EE6F267C983
SHA-256:	82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
SHA-512:	F7BF8AD7CD8B450050310952C56F6A20B378A972C822CCC253EF3D7381B56FFB3CA6CE3323BEA9872674ED1C02017F78AB31E9EB9927FC6B3CBA957C247E5D57
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.{...{...{...0...y.......y...r.H.p...{...H.......\|.......`.......~.......z.....$.z.......z...Rich{...........PE..d...l0.?.........." ...).<...8.......@...............................................b....`A........................................pm.......m..x....................r..PP......D....c..p...........................`b..@............P..`............................text....;.......<.................. ..`.rdata.."#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\_asyncio.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70928
Entropy (8bit):	6.242470629630265
Encrypted:	false
SSDEEP:	768:FCIB0WWuqkJS86D6rznO6uqM+lY5ZkesIcydIJvn/5YiSyvT2ETh:FCY0WStDwnOLYY5ZkeddIJvnx7Sy75h
MD5:	80083B99812171FEA682B1CF38026816
SHA1:	365FB5B0C652923875E1C7720F0D76A495B0E221
SHA-256:	DBEAE7CB6F256998F9D8DE79D08C74D716D819EB4473B2725DBE2D53BA88000A
SHA-512:	33419B9E18E0099DF37D22E33DEBF15D57F4248346B17423F2B55C8DA7CBE62C19AA0BB5740CFAAC9BC6625B81C54367C0C476EAECE71727439686567F0B1234
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Z...........%.....................................................K...................I...........Rich...................PE..d......g.........." ...).d................................................... ............`.........................................`...P.......d......................../.............T...............................@...............(............................text...)b.......d.................. ..`.rdata...O.......P...h..............@..@.data...`...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84240
Entropy (8bit):	6.607563436050078
Encrypted:	false
SSDEEP:	1536:Kdrz7l1EVLsSuvX3dUK4MLgqK7YEog8y5sV8lIJLVy7SyFB:urzcuvXvrEo7y6V8lIJLVyB
MD5:	CB8C06C8FA9E61E4AC5F22EEBF7F1D00
SHA1:	D8E0DFC8127749947B09F17C8848166BAC659F0D
SHA-256:	FC3B481684B926350057E263622A2A5335B149A0498A8D65C4F37E39DD90B640
SHA-512:	E6DA642B7200BFB78F939F7D8148581259BAA9A5EDDA282C621D14BA88083A9B9BD3D17B701E9CDE77AD1133C39BD93FC9D955BB620546BB4FCF45C68F1EC7D6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!m..!m..!m..(.o.+m..1...#m..1..."m..1...%m..1...)m..1...,m..i..."m..j...#m..!m..\|m..i...)m..i... m..i... m..i... m..Rich!m..........PE..d.....g.........." ...).....\......0........................................P......7[....`.............................................H...(........0....... .. ......../...@..........T...........................`...@...............x............................text............................... ..`.rdata...=.......>..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\_cffi_backend.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	179200
Entropy (8bit):	6.189919896183334
Encrypted:	false
SSDEEP:	3072:X3LjFuaTzDGA3GrJwUdoSPhpRv9JUizQWS7LkSTLkKWgFIPXD0:X3QaT3GA3NSPhDsizTikSTLLWgF0z0
MD5:	5CBA92E7C00D09A55F5CBADC8D16CD26
SHA1:	0300C6B62CD9DB98562FDD3DE32096AB194DA4C8
SHA-256:	0E3D149B91FC7DC3367AB94620A5E13AF6E419F423B31D4800C381468CB8AD85
SHA-512:	7AB432C8774A10F04DDD061B57D07EBA96481B5BB8C663C6ADE500D224C6061BC15D17C74DA20A7C3CEC8BBF6453404D553EBAB22D37D67F9B163D7A15CF1DED
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......i..#-p.p-p.p-p.p$..p!p.p=.q/p.p=.zp)p.p=.q)p.p=.q%p.p=.q!p.pf..q)p.p9.q.p.p-p.p.p.pe..q)p.p$..p,p.pe..q,p.pe.xp,p.pe..q,p.pRich-p.p........................PE..d..._..f.........." ...).....B......@........................................0............`..........................................h..l....i..................T............ ......0O...............................M..@............................................text............................... ..`.rdata..............................@..@.data....].......0...n..............@....pdata..T...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	131344
Entropy (8bit):	6.311142284249784
Encrypted:	false
SSDEEP:	3072:3RF024DWkT/DKGkXY402iXnVJf/FO50XnekZ39gPhvEQZIJyPArm:j0nHT/DKFXZorf/FO50uW3SEQt
MD5:	A55E57D7594303C89B5F7A1D1D6F2B67
SHA1:	904A9304A07716497CF3E4EAAFD82715874C94F1
SHA-256:	F63C6C7E71C342084D8F1A108786CA6975A52CEFEF8BE32CC2589E6E2FE060C8
SHA-512:	FFA61AD2A408A831B5D86B201814256C172E764C9C1DBE0BD81A2E204E9E8117C66F5DFA56BB7D74275D23154C0ED8E10D4AE8A0D0564434E9761D754F1997FC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h~..............q...............................................q.......q......!u.............................................Rich....................PE..d.....g.........." ...).............h....................................... .......Z....`.........................................P.................................../...........=..T............................;..@............0...............................text............................... ..`.rdata...y...0...z..................@..@.data....$....... ..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	277776
Entropy (8bit):	6.5855511991551
Encrypted:	false
SSDEEP:	6144:x9iD78EIq4x4OA5bZZ0KDgQcI79qWM53pLW1AFR8E4wXw76TPlpV77777VMvyk:xwDGqr5b8EgQ5+w6k
MD5:	F3377F3DE29579140E2BBAEEFD334D4F
SHA1:	B3076C564DBDFD4CA1B7CC76F36448B0088E2341
SHA-256:	B715D1C18E9A9C1531F21C02003B4C6726742D1A2441A1893BC3D79D7BB50E91
SHA-512:	34D9591590BBA20613691A5287EF329E5927A58127CE399088B4D68A178E3AF67159A8FC55B4FCDCB08AE094753B20DEC2AC3F0B3011481E4ED6F37445CECDD5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j2U..\...\...\..s....\..]...\.._...\..X...\..Y...\...]...\..s]...\...].z.\..._...\...Q...\...\...\.......\...^...\.Rich..\.........................PE..d......g.........." ...).....Z...............................................P......W.....`.................................................L........0..........t+......./...@..........T...............................@............... ............................text.............................. ..`.rdata..\...........................@..@.data...8'......."..................@....pdata..t+.......,..................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64272
Entropy (8bit):	6.220967684620152
Encrypted:	false
SSDEEP:	768:eNJI0DWiflFwY9X3Th1JnptE462TxNvdbj4dIJvI75YiSyvE62Em:2LDxflFwY9XDhPfVNv+dIJvIF7Syc6c
MD5:	32D76C9ABD65A5D2671AEEDE189BC290
SHA1:	0D4440C9652B92B40BB92C20F3474F14E34F8D62
SHA-256:	838D5C8B7C3212C8429BAF612623ABBBC20A9023EEC41E34E5461B76A285B86C
SHA-512:	49DC391F4E63F4FF7D65D6FD837332745CC114A334FD61A7B6AA6F710B235339964B855422233FAC4510CCB9A6959896EFE880AB24A56261F78B2A0FD5860CD9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.A.6...6...6...N%..6.......6.......6.......6.......6.......6...N...6.......6...6..26.......6.......6....I..6.......6..Rich.6..........PE..d......g.........." ...).P...~.......=..............................................!.....`.........................................p...P................................/......X....l..T............................k..@............`...............................text....N.......P.................. ..`.rdata...M...`...N...T..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	157968
Entropy (8bit):	6.854644275249963
Encrypted:	false
SSDEEP:	3072:KbbS4R/G4Z8r7NjwJTSUqCRY4By7znfB9mNowgn0lCelIJ012+j:KbR/8oWeBi5YOwflCe8o
MD5:	1BA022D42024A655CF289544AE461FB8
SHA1:	9772A31083223ECF66751FF3851D2E3303A0764C
SHA-256:	D080EABD015A3569813A220FD4EA74DFF34ED2A8519A10473EB37E22B1118A06
SHA-512:	2B888A2D7467E29968C6BB65AF40D4B5E80722FFDDA760AD74C912F3A2F315D402F3C099FDE82F00F41DE6C9FAAEDB23A643337EB8821E594C567506E3464C62
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V.,.V.,.V.,...,.V.,..-.V.,..-.V.,..-.V.,..-.V.,..-.V.,...-.V.,.V.,.V.,..-.V.,..-.V.,..u,.V.,..-.V.,Rich.V.,................PE..d......g.........." ...).`...........1.......................................p.......P....`.............................................L.......x....P.......0.......:.../...`..4....\|..T...........................P{..@............p...............................text...^^.......`.................. ..`.rdata.......p.......d..............@..@.data........ ......................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..4....`.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\_multiprocessing.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35600
Entropy (8bit):	6.416657776501014
Encrypted:	false
SSDEEP:	768:6wehui7ZmQW/3OUDxEiNIJntJ5YiSyvSJz2Ec:whuilG+UDxEiNIJntX7Sy+zO
MD5:	705AC24F30DC9487DC709307D15108ED
SHA1:	E9E6BA24AF9947D8995392145ADF62CAC86BA5D8
SHA-256:	59134B754C6ACA9449E2801E9E7ED55279C4F1ED58FE7A7A9F971C84E8A32A6C
SHA-512:	F5318EBB91F059F0721D75D576B39C7033D566E39513BAD8E7E42CCC922124A5205010415001EE386495F645238E2FF981A8B859F0890DC3DA4363EB978FDBA7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.Y)v.7zv.7zv.7z..zt.7zf,6{t.7zf,4{u.7zf,3{~.7zf,2{{.7z>-6{t.7zv.6z..7z=.6{s.7z>-:{t.7z>-7{w.7z>-.zw.7z>-5{w.7zRichv.7z........PE..d......g.........." ...). ...>......@...............................................%.....`......................................... E..`....E..x............p.......\.../...........4..T............................3..@............0...............................text............ .................. ..`.rdata..6 ...0..."...$..............@..@.data...p....`.......F..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\_overlapped.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55568
Entropy (8bit):	6.3313243577146485
Encrypted:	false
SSDEEP:	1536:+kMm7HdG/l5fW3UguCE+eRIJWtd7SyJds:+wIQUFCEbRIJWtd6
MD5:	A72527454DD6DA346DDB221FC729E3D4
SHA1:	0276387E3E0492A0822DB4EABE23DB8C25EF6E6F
SHA-256:	404353D7B867749FA2893033BD1EBF2E3F75322D4015725D697CFA5E80EC9D0F
SHA-512:	FEFB543D20520F86B63E599A56E2166599DFA117EDB2BEB5E73FC8B43790543702C280A05CCFD9597C0B483F637038283DD48EF8C88B4EA6BAC411EC0043B10A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.{X/.(X/.(X/.(QW_(\/.(H..)Z/.(H..)[/.(H..)P/.(H..)T/.(...)Z/.(X/.(//.(.W.)]/.(.W.)Y/.(...)Y/.(...)Y/.(..3(Y/.(...)Y/.(RichX/.(........................PE..d.....g.........." ...).L...`......@................................................}....`.............................................X................................/......(....f..T............................e..@............`...............................text....J.......L.................. ..`.rdata...8...`...:...P..............@..@.data...@...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	33552
Entropy (8bit):	6.446391764486538
Encrypted:	false
SSDEEP:	384:7GpPCRjqMu/AoS6rf7sif0NHQibZIJ9UoOHQIYiSy1pCQ5xX1rSJIVE8E9VF0Nyf:fkTM6rg9aeZIJ9Uok5YiSyvTo2Et
MD5:	1C03CAA59B5E4A7FB9B998D8C1DA165A
SHA1:	8A318F80A705C64076E22913C2206D9247D30CD7
SHA-256:	B9CF502DADCB124F693BF69ECD7077971E37174104DBDA563022D74961A67E1E
SHA-512:	783ECDA7A155DFC96A718D5A130FB901BBECBED05537434E779135CBA88233DD990D86ECA2F55A852C9BFB975074F7C44D8A3E4558D7C2060F411CE30B6A915F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...........-.........................................................................A...........Rich...................PE..d.....g.........." ...).....:.......................................................r....`.........................................PD..L....D..d....p.......`..l....T.../..........@4..T............................3..@............0...............................text............................... ..`.rdata..2....0....... ..............@..@.data........P.......>..............@....pdata..l....`.......D..............@..@.rsrc........p.......H..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83728
Entropy (8bit):	6.331814573029388
Encrypted:	false
SSDEEP:	1536:XuV3gvWHQdMq3ORC/OypTXQlyJ+9+nzEYwsBI6tzOKuZIJywJ7Sy21:XuVQvcQTSypTXQlyJs+nzEYJI6QlZIJY
MD5:	FE896371430BD9551717EF12A3E7E818
SHA1:	E2A7716E9CE840E53E8FC79D50A77F40B353C954
SHA-256:	35246B04C6C7001CA448554246445A845CE116814A29B18B617EA38752E4659B
SHA-512:	67ECD9A07DF0A07EDD010F7E3732F3D829F482D67869D6BCE0C9A61C24C0FDC5FF4F4E4780B9211062A6371945121D8883BA2E9E2CF8EB07B628547312DFE4C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ll}.ll}.ll}...}.ll}..m\|.ll}..o\|.ll}..h\|.ll}..i\|.ll}..m\|.ll}.lm}.ll}..m\|.ll}..a\|.ll}..l\|.ll}..}.ll}..n\|.ll}Rich.ll}........PE..d.....g.........." ...).x.......... -.......................................`.......s....`.........................................@...P............@.......0.........../...P..........T...........................@...@............................................text....w.......x.................. ..`.rdata.. y.......z...\|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	128272
Entropy (8bit):	6.294497957566744
Encrypted:	false
SSDEEP:	3072:N+tZdKmXhyn/qO6ItCpz6j5yQyshiKftdIJvQJL:NGZVwnxHssj5lhiYR
MD5:	D4E5BE27410897AC5771966E33B418C7
SHA1:	5D18FF3CC196557ED40F2F46540B2BFE02901D98
SHA-256:	3E625978D7C55F4B609086A872177C4207FB483C7715E2204937299531394F4C
SHA-512:	4D40B4C6684D3549C35ED96BEDD6707CE32DFAA8071AEADFBC682CF4B7520CFF08472F441C50E0D391A196510F8F073F26AE8B2D1E9B1AF5CF487259CC6CCC09
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7.7.7.Oc..7...7.....7...7.....7.....7...7..O.7.7.6.....7...7.....7...7.Rich.7.........................PE..d......g.........." ...)............................................................[.....`..........................................{..P...P{.........................../..............T...............................@...............H............................text...t........................... ..`.rdata.............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	181520
Entropy (8bit):	5.972827303352998
Encrypted:	false
SSDEEP:	3072:kO+IWyXHllRhN1qhep7fM6CpqjZI8u7pUULbaLZErWreVEzvT3iFCNc6tYwJc1OW:kpSrhN1E2M6CpUuwg5dEW7
MD5:	1C0E3E447F719FBE2601D0683EA566FC
SHA1:	5321AB73B36675B238AB3F798C278195223CD7B1
SHA-256:	63AE2FEFBFBBBC6EA39CDE0A622579D46FF55134BC8C1380289A2976B61F603E
SHA-512:	E1A430DA2A2F6E0A1AED7A76CC4CD2760B3164ABC20BE304C1DB3541119942508E53EA3023A52B8BADA17A6052A7A51A4453EFAD1A888ACB3B196881226C2E5C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FM.^.,k..,k..,k..T...,k...j..,k...h..,k...o..,k...n..,k.J.j..,k...j..,k..,j..-k.ITj..,k.J.f..,k.J.k..,k.J....,k.J.i..,k.Rich.,k.................PE..d......g.........." ...)............ /..............................................R\....`.............................................d................................/..............T...........................P...@............................................text...0........................... ..`.rdata..D%.......&..................@..@.data...`...........................@....pdata...............n..............@..@.rsrc................z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\_uuid.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25872
Entropy (8bit):	6.591600232213824
Encrypted:	false
SSDEEP:	384:bROw4TUyiIWlIJ0wsaHQIYiSy1pCQxHoQSJIVE8E9VF0NyEIkz:4w4TUyfWlIJ0wT5YiSyvBk2E3kz
MD5:	3ACF3138D5550CA6DE7E2580E076E0F7
SHA1:	3E878A18DF2362AA6F0BDBFA058DCA115E70D0B8
SHA-256:	F9D5008F0772AA0720BC056A6ECD5A2A3F24965E4B470B022D88627A436C1FFE
SHA-512:	F05E90A0FEAA2994B425884AF32149FBBE2E11CB7499FC88CA92D8A74410EDCD62B2B2C0F1ECD1A46985133F7E89575F2C114BD01F619C22CE52F3CF2A7E37C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........p..#..#..#..\#..#..."..#..."..#..."..#..."..#..."..#..."..#..#...#..."..#..."..#..0#..#..."..#Rich..#........PE..d.....g.........." ...).....&......................................................".....`.........................................p9..L....9..x....`.......P.......6.../...p..@...`3..T........................... 2..@............0..8............................text...h........................... ..`.rdata.......0......................@..@.data...p....@.......&..............@....pdata.......P.......(..............@..@.rsrc........`.......*..............@..@.reloc..@....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\_wmi.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38160
Entropy (8bit):	6.338856805460127
Encrypted:	false
SSDEEP:	768:fEkK9VgWOZbs3550QcJpPllIJLiX5YiSyvQ602Euf0:fE93jkbQcJvlIJLiJ7Syq00
MD5:	1C30CC7DF3BD168D883E93C593890B43
SHA1:	31465425F349DAE4EDAC9D0FEABC23CE83400807
SHA-256:	6435C679A3A3FF4F16708EBC43F7CA62456C110AC1EA94F617D8052C90C143C7
SHA-512:	267A1807298797B190888F769D998357B183526DFCB25A6F1413E64C5DCCF87F51424B7E5D6F2349D7A19381909AB23B138748D8D9F5858F7DC0552F5C5846AC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H2.&a.&a.&a..a.&a..'`.&a..%`.&a.."`.&a..'`.&a..#`.&a..'`.&a.'a..&a.."`.&a../`.&a..&`.&a...a.&a..$`.&aRich.&a................PE..d.....g.........." ...).,...<.......)..............................................'.....`.........................................0V..H...xV.......................f.../......x...tG..T............................C..@............@.......T..@....................text....*.......,.................. ..`.rdata..d ...@..."...0..............@..@.data........p.......R..............@....pdata...............V..............@..@.rsrc................Z..............@..@.reloc..x............d..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\base_library.zip

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1394456
Entropy (8bit):	5.531698507573688
Encrypted:	false
SSDEEP:	12288:IW7WpLV6yNLeGQbVz3YQfiBgDPtLwjFx278e6ZQnHS91lqyL+DXUgnxOr+dx5/GO:B7WpLtHa9BHSHAW+dx5/GP05vddD
MD5:	A9CBD0455B46C7D14194D1F18CA8719E
SHA1:	E1B0C30BCCD9583949C247854F617AC8A14CBAC7
SHA-256:	DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
SHA-512:	B92468E71490A8800E51410DF7068DD8099E78C79A95666ECF274A9E9206359F049490B8F60B96081FAFD872EC717E67020364BCFA972F26F0D77A959637E528
Malicious:	false
Preview:	PK..........!..b.e............_collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

C:\Users\user\AppData\Local\Temp\_MEI39642\certifi\cacert.pem

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography-43.0.3.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography-43.0.3.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	5440
Entropy (8bit):	5.074230645519915
Encrypted:	false
SSDEEP:	96:DloQIUQIhQIKQILbQIRIaMPktjaVxsxA2TLLDmplH7dwnqTIvrUmA0JQTQCQx5KN:RcPuP1srTLLDmplH7JTIvYX0JQTQ9x54
MD5:	C891CD93024AF027647E6DE89D0FFCE2
SHA1:	01D8D6F93F1B922A91C82D4711BCEFB885AD47B0
SHA-256:	EB36E0E4251E8479EF36964440755EF22BEDD411BA87A93F726FA8E5BB0E64B0
SHA-512:	3386FBB3DCF7383B2D427093624C531C50BE34E3E0AA0984547B953E04776D0D431D5267827F4194A9B0AD1AB897869115623E802A6A1C5D2AE1AD82C96CCE71
Malicious:	false
Preview:	Metadata-Version: 2.3.Name: cryptography.Version: 43.0.3.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: License :: OSI Approved :: BSD License.Classifier: Natural Language :: English.Classifier: Operating System :: MacOS :: MacOS X.Classifier: Operating System :: POSIX.Classifier: Operating System :: POSIX :: BSD.Classifier: Operating System :: POSIX :: Linux.Classifier: Operating System :: Microsoft :: Windows.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Classif

C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography-43.0.3.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	15579
Entropy (8bit):	5.5670696451446435
Encrypted:	false
SSDEEP:	192:1XeTB7oz5jF4EHRThXsI4WPm6LciTwqU+NX6in5hqw/t+B:1Xk7ohCE3sIPm6LciTwqU+96inhgB
MD5:	6BA7EACDC603A21F205A9F4CF0FBF12E
SHA1:	55CEB7C05E30C49B582E7B2C4CE03E2FE9351CC1
SHA-256:	4AE8807DEAA2C41CB02FFB19601220AF425EA392D97375B85F18D1449F67F44F
SHA-512:	E621D6059D456940A953E7FA12D90988F9E14D3CD41018EEFB1788514B580A589860306A3818AB8B2CDEF3FE3A341E8324B4F2F31EB64D249BBF46E8E9894C3D
Malicious:	false
Preview:	cryptography-43.0.3.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-43.0.3.dist-info/METADATA,sha256=6zbg5CUehHnvNpZEQHVe8ivt1BG6h6k_cm-o5bsOZLA,5440..cryptography-43.0.3.dist-info/RECORD,,..cryptography-43.0.3.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-43.0.3.dist-info/WHEEL,sha256=8_4EnrLvbhzH224YH8WypoB7HFn-vpbwr_zHlr3XUBI,94..cryptography-43.0.3.dist-info/license_files/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-43.0.3.dist-info/license_files/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-43.0.3.dist-info/license_files/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography/__about__.py,sha256=-FkHKD9mSuEfH37wsSKnQzJZmL5zUAUTpB5OeUQjPE0,445..cryptography/__init__.py,sha256=mthuUrTd4FROCpUYrTIqhjz6s6T9djAZrV7nZ1oMm2o,364..cryptography/__pycache__/__about__.cpython-313.pyc,,..cryptography/__pycache__/__ini

C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography-43.0.3.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	5.016084900984752
Encrypted:	false
SSDEEP:	3:RtEeX5pGogP+tkKciH/KQb:RtvoTWKTQb
MD5:	C869D30012A100ADEB75860F3810C8C9
SHA1:	42FD5CFA75566E8A9525E087A2018E8666ED22CB
SHA-256:	F3FE049EB2EF6E1CC7DB6E181FC5B2A6807B1C59FEBE96F0AFFCC796BDD75012
SHA-512:	B29FEAF6587601BBE0EDAD3DF9A87BFC82BB2C13E91103699BABD7E039F05558C0AC1EF7D904BCFAF85D791B96BC26FA9E39988DD83A1CE8ECCA85029C5109F0
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: maturin (1.7.0).Root-Is-Purelib: false.Tag: cp39-abi3-win_amd64.

C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography-43.0.3.dist-info\license_files\LICENSE

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	197
Entropy (8bit):	4.61968998873571
Encrypted:	false
SSDEEP:	3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
MD5:	8C3617DB4FB6FAE01F1D253AB91511E4
SHA1:	E442040C26CD76D1B946822CAF29011A51F75D6D
SHA-256:	3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
SHA-512:	77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
Malicious:	false
Preview:	This software is made available under the terms of either of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of both these licenses..

C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography-43.0.3.dist-info\license_files\LICENSE.APACHE

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11360
Entropy (8bit):	4.426756947907149
Encrypted:	false
SSDEEP:	192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
MD5:	4E168CCE331E5C827D4C2B68A6200E1B
SHA1:	DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
SHA-256:	AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
SHA-512:	F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography-43.0.3.dist-info\license_files\LICENSE.BSD

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1532
Entropy (8bit):	5.058591167088024
Encrypted:	false
SSDEEP:	24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
MD5:	5AE30BA4123BC4F2FA49AA0B0DCE887B
SHA1:	EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
SHA-256:	602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
SHA-512:	DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
Malicious:	false
Preview:	Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

C:\Users\user\AppData\Local\Temp\_MEI39642\cryptography\hazmat\bindings\_rust.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7834624
Entropy (8bit):	6.517862303223651
Encrypted:	false
SSDEEP:	49152:oFNZj7fIo9W67PapgzJTkrXyzNzpXAbuiqCgIns3mYEXEqMrIU6i7GtlqdVwASO/:QI9X/gIFYEXME+oFNr5VQCJheq4BsxH
MD5:	BFD28B03A4C32A9BCB001451FD002F67
SHA1:	DD528FD5F4775E16B2E743D3188B66F1174807B2
SHA-256:	8EF0F404A8BFF12FD6621D8F4F209499613F565777FE1C2A680E8A18F312D5A7
SHA-512:	6DC39638435F147B399826E34F78571D7ED2ED1232275E213A2B020224C0645E379F74A0CA5DE86930D3348981C8BB03BBBECFA601F8BA781417E7114662DDEE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.b.6...6...6...?..$...&9..4...&9..2...&9..>...&9..'...}...8...Y<..5...6...2...~8..I...6.......~8..7...~8..7...Rich6...........PE..d......g.........." ...)..Y..$........W.......................................w...........`..........................................q.....l.q.............. s...............w......zi.T....................{i.(...Pyi.@.............Y..............................text...k.Y.......Y................. ..`.rdata...A....Y..B....Y.............@..@.data...@+....q.......q.............@....pdata....... s.......r.............@..@.reloc........w.......v.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5232408
Entropy (8bit):	5.940072183736028
Encrypted:	false
SSDEEP:	98304:/V+Qs2NuR5YV0L8PQ1CPwDvt3uFlDC4SC9c:9rs2NuDYV0L841CPwDvt3uFlDC4SCa
MD5:	123AD0908C76CCBA4789C084F7A6B8D0
SHA1:	86DE58289C8200ED8C1FC51D5F00E38E32C1AAD5
SHA-256:	4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43
SHA-512:	80FAE0533BA9A2F5FA7806E86F0DB8B6AAB32620DDE33B70A3596938B529F3822856DE75BDDB1B06721F8556EC139D784BC0BB9C8DA0D391DF2C20A80D33CB04
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(..7..<......v........................................0P.......O...`...........................................H.0.....O.@....@O.\|.... L. .....O../...PO.$...`{D.8............................yD.@.............O..............................text.....7.......7................. ..`.rdata........7.......7.............@..@.data...Ao....K..<....K.............@....pdata....... L.......K.............@..@.idata...%....O..&....N.............@..@.00cfg..u....0O.......N.............@..@.rsrc...\|....@O.......N.............@..@.reloc..~....PO.......N.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	792856
Entropy (8bit):	5.57949182561317
Encrypted:	false
SSDEEP:	12288:7LN1sdyIzHHZp5c3nlUa6lxzAG11rbmFe9Xbv:7LgfzH5I3nlUa2AU2Fe9Xbv
MD5:	4FF168AAA6A1D68E7957175C8513F3A2
SHA1:	782F886709FEBC8C7CEBCEC4D92C66C4D5DBCF57
SHA-256:	2E4D35B681A172D3298CAF7DC670451BE7A8BA27C26446EFC67470742497A950
SHA-512:	C372B759B8C7817F2CBB78ECCC5A42FA80BDD8D549965BD925A97C3EEBDCE0335FBFEC3995430064DEAD0F4DB68EBB0134EB686A0BE195630C49F84B468113E3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..\|m..\|m..\|m.u.m..\|m+.}l..\|m.u}l..\|m+..l..\|m+.xl..\|m+.yl..\|m..}l..\|m..}m..\|m..xl..\|m..\|l..\|m...m..\|m..~l..\|mRich..\|m................PE..d......f.........." ...(.>..........K........................................0......!+....`..........................................x...Q..............s.... ...M......./......d...p...8...............................@............................................text....<.......>.................. ..`.rdata..hz...P...\|...B..............@..@.data...qN.......H..................@....pdata..pV... ...X..................@..@.idata...c.......d...^..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..C...........................@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\pyexpat.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	201488
Entropy (8bit):	6.375994899027017
Encrypted:	false
SSDEEP:	6144:cAPHiRwroqoLHMpCSNVysh9CV2i6P/1vTg:6wrExSU6PdvTg
MD5:	CF2C3D127F11CB2C026E151956745564
SHA1:	B1C8C432FC737D6F455D8F642A4F79AD95A97BD3
SHA-256:	D3E81017B4A82AE1B85E8CD6B9B7EB04D8817E29E5BC9ECE549AC24C8BB2FF23
SHA-512:	FE3A9C8122FFFF4AF7A51DF39D40DF18E9DB3BC4AED6B161A4BE40A586AC93C1901ACDF64CC5BFFF6975D22073558FC7A37399D016296432057B8150848F636E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P.P.P.(t..P...P...P...P...P....P..(.P.P..P....P....P......P....P.Rich.P.........................PE..d.....g.........." ...)..................................................... ............`............................................P... ............................/..........`4..T........................... 3..@............ ...............................text............................... ..`.rdata....... ......................@..@.data.... ..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\python3.dll

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70416
Entropy (8bit):	6.1258200129869405
Encrypted:	false
SSDEEP:	768:pQEotsskOv6pWVCB4p/uKlZPRQcFIc9qunV0Jku/YFI1Hu1wEBbCpVNyD6VdPxiD:/otssyKcunV8PjZIJy0i7SyWH1
MD5:	16855EBEF31C5B1EBE767F1C617645B3
SHA1:	315521F3A748ABFA35CD4D48E8DD09D0556D989B
SHA-256:	A5C6A329698490A035133433928D04368CE6285BB91A9D074FC285DE4C9A32A4
SHA-512:	C3957B3BD36B10C7AD6EA1FF3BC7BD65CDCEB3E6B4195A25D0649AA0DA179276CE170DA903D77B50A38FC3D5147A45BE32DBCFDBFBF76CC46301199C529ADEA4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%?..a^e.a^e.a^e.).m.`^e.).e.`^e.)..`^e.).g.`^e.Richa^e.........PE..d......g.........." ...)............................................................z.....`.........................................`..................................../..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\python313.dll

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6083856
Entropy (8bit):	6.126922729922386
Encrypted:	false
SSDEEP:	49152:fXGc3O7T4DKX+vLFMmKYxiAYNBD987KdJlI9HbeX2jrgQcw6Zc4h67mM+XDQ3bLi:Of42zJiwJl/YF7v3vaHDMiEN3Kr
MD5:	B9DE917B925DD246B709BB4233777EFD
SHA1:	775F258D8B530C6EA9F0DD3D1D0B61C1948C25D2
SHA-256:	0C0A66505093B6A4BB3475F716BD3D9552095776F6A124709C13B3F9552C7D99
SHA-512:	F4BF3398F50FDD3AB7E3F02C1F940B4C8B5650ED7AF16C626CCD1B934053BA73A35F96DA03B349C1EB614BB23E0BC6B5CC58B07B7553A5C93C6D23124F324A33
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s]{v ]{v ]{v M.w!_{v M.. S{v M.u!Y{v M.r!U{v M.s!P{v T.. G{v ..w!V{v ]{w .zv ..{!.{v ..v!\{v ... \{v ..t!\{v Rich]{v ........................PE..d......g.........." ...).:+..T9......J........................................d.....uF]...`...........................................O.....h.P.......d......0].......\../....d..... A3.T.....................I.(....?3.@............P+..............................text....8+......:+................. ..`.rdata....%..P+...%..>+.............@..@.data...$9....P..N....P.............@....pdata.......0]...... U.............@..@PyRuntim.N...._..P....W.............@....rsrc.........d.......[.............@..@.reloc........d.......[.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\select.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30992
Entropy (8bit):	6.554484610649281
Encrypted:	false
SSDEEP:	384:7hhxm9tKLhuoNHfzzlvFy0ZZIJ9GckHQIYiSy1pCQ4HWSJIVE8E9VF0Ny6sC:tCytHf98uZIJ9Gx5YiSyvy2ES
MD5:	20831703486869B470006941B4D996F2
SHA1:	28851DFD43706542CD3EF1B88B5E2749562DFEE0
SHA-256:	78E5994C29D8851F28B5B12D59D742D876683AEA58ECEEA1FB895B2036CDCDEB
SHA-512:	4AAF5D66D2B73F939B9A91E7EDDFEB2CE2476C625586EF227B312230414C064AA850B02A4028363AA4664408C9510594754530A6D026A0A84BE0168D677C1BC4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tV..'V..'V..'_.j'T..'F:.&T..'F:.&R..'F:.&^..'F:.&Z..'.;.&T..'V..'...'...&S..'.;.&W..'.;.&W..'.;.'W..'.;.&W..'RichV..'................PE..d.....g.........." ...).....2............................................................`..........................................@..L...<A..x....p.......`.......J.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...p....P.......8..............@....pdata.......`.......:..............@..@.rsrc........p.......>..............@..@.reloc..L............H..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\LICENSE

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11358
Entropy (8bit):	4.4267168336581415
Encrypted:	false
SSDEEP:	192:nU6G5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEn7HbHR:U9vlKM1zJlFvmNz5VrlkTS07Ht
MD5:	3B83EF96387F14655FC854DDC3C6BD57
SHA1:	2B8B815229AA8A61E483FB4BA0588B8B6C491890
SHA-256:	CFC7749B96F63BD31C3C42B5C471BF756814053E847C10F3EB003417BC523D30
SHA-512:	98F6B79B778F7B0A15415BD750C3A8A097D650511CB4EC8115188E115C47053FE700F578895C097051C9BC3DFB6197C2B13A15DE203273E1A3218884F86E90E8
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. http://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial own

C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4648
Entropy (8bit):	5.006900644756252
Encrypted:	false
SSDEEP:	96:Dx2ZSaCSmS8R902Vpnu386eLQ9Ac+fFZpDN00x2jZ2SBXZJSwTE:9Smzf02Vpnu386mQ9B+TP0vJHJSwTE
MD5:	98ABEAACC0E0E4FC385DFF67B607071A
SHA1:	E8C830D8B0942300C7C87B3B8FD15EA1396E07BD
SHA-256:	6A7B90EFFEE1E09D5B484CDF7232016A43E2D9CC9543BCBB8E494B1EC05E1F59
SHA-512:	F1D59046FFA5B0083A5259CEB03219CCDB8CC6AAC6247250CBD83E70F080784391FCC303F7630E1AD40E5CCF5041A57CB9B68ADEFEC1EBC6C31FCF7FFC65E9B7
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: importlib_metadata.Version: 8.0.0.Summary: Read metadata from Python packages.Author-email: "Jason R. Coombs" <jaraco@jaraco.com>.Project-URL: Source, https://github.com/python/importlib_metadata.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.License-File: LICENSE.Requires-Dist: zipp >=0.5.Requires-Dist: typing-extensions >=3.6.4 ; python_version < "3.8".Provides-Extra: doc.Requires-Dist: sphinx >=3.5 ; extra == 'doc'.Requires-Dist: jaraco.packaging >=9.3 ; extra == 'doc'.Requires-Dist: rst.linker >=1.9 ; extra == 'doc'.Requires-Dist: furo ; extra == 'doc'.Requires-Dist: sphinx-lint ; extra == 'doc'.Requires-Dist: jaraco.tidelift >=1.4 ; extra == 'doc'.Provides-Extra: perf.Requires-D

C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2518
Entropy (8bit):	5.6307766747793275
Encrypted:	false
SSDEEP:	48:UnuXTg06U5J/Vw9l/gfNX7/XzBk9pvJq/fwJOfYrBfnJ/V0XJnzN/3WJV:bXzP/EgdzzBkDJsoIYrBfJ/CXNz9qV
MD5:	EB513CAFA5226DDA7D54AFDCC9AD8A74
SHA1:	B394C7AEC158350BAF676AE3197BEF4D7158B31C
SHA-256:	0D8D3C6EEB9EBBE86CAC7D60861552433C329DA9EA51248B61D02BE2E5E64030
SHA-512:	A0017CFAFF47FDA6067E3C31775FACEE4728C3220C2D4BD70DEF328BD20AA71A343E39DA15CD6B406F62311894C518DFCF5C8A4AE6F853946F26A4B4E767924E
Malicious:	false
Preview:	importlib_metadata-8.0.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..importlib_metadata-8.0.0.dist-info/LICENSE,sha256=z8d0m5b2O9McPEK1xHG_dWgUBT6EfBDz6wA0F7xSPTA,11358..importlib_metadata-8.0.0.dist-info/METADATA,sha256=anuQ7_7h4J1bSEzfcjIBakPi2cyVQ7y7jklLHsBeH1k,4648..importlib_metadata-8.0.0.dist-info/RECORD,,..importlib_metadata-8.0.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..importlib_metadata-8.0.0.dist-info/WHEEL,sha256=mguMlWGMX-VHnMpKOjjQidIo1ssRlCFu4a4mBpz1s2M,91..importlib_metadata-8.0.0.dist-info/top_level.txt,sha256=CO3fD9yylANiXkrMo4qHLV_mqXL2sC5JFKgt1yWAT-A,19..importlib_metadata/__init__.py,sha256=tZNB-23h8Bixi9uCrQqj9Yf0aeC--Josdy3IZRIQeB0,33798..importlib_metadata/__pycache__/__init__.cpython-312.pyc,,..importlib_metadata/__pycache__/_adapters.cpython-312.pyc,,..importlib_metadata/__pycache__/_collections.cpython-312.pyc,,..importlib_metadata/__pycache__/_compat.cpython-312.pyc,,..importlib_metadata/__pycac

C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	91
Entropy (8bit):	4.687870576189661
Encrypted:	false
SSDEEP:	3:RtEeXMRYFAVLMvhRRP+tPCCfA5S:RtC1VLMvhjWBBf
MD5:	7D09837492494019EA51F4E97823D79F
SHA1:	7829B4324BB542799494131A270EC3BDAD4DEDEF
SHA-256:	9A0B8C95618C5FE5479CCA4A3A38D089D228D6CB1194216EE1AE26069CF5B363
SHA-512:	A0063220ECDD22C3E735ACFF6DE559ACF3AC4C37B81D37633975A22A28B026F1935CD1957C0FF7D2ECC8B7F83F250310795EECC5273B893FFAB115098F7B9C38
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: setuptools (70.1.1).Root-Is-Purelib: true.Tag: py3-none-any..

C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\top_level.txt

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	19
Entropy (8bit):	3.536886723742169
Encrypted:	false
SSDEEP:	3:JSej0EBERG:50o4G
MD5:	A24465F7850BA59507BF86D89165525C
SHA1:	4E61F9264DE74783B5924249BCFE1B06F178B9AD
SHA-256:	08EDDF0FDCB29403625E4ACCA38A872D5FE6A972F6B02E4914A82DD725804FE0
SHA-512:	ECF1F6B777970F5257BDDD353305447083008CEBD8E5A27C3D1DA9C7BDC3F9BF3ABD6881265906D6D5E11992653185C04A522F4DB5655FF75EEDB766F93D5D48
Malicious:	false
Preview:	importlib_metadata.

C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text, with very long lines (888)
Category:	dropped
Size (bytes):	1335
Entropy (8bit):	4.226823573023539
Encrypted:	false
SSDEEP:	24:FP6Hbz+g9RPZ14bJi04L6GEbX4UQF4UkZQhxI2EIhNyu:9E+i6bJmLm43+Uxxnh0u
MD5:	4CE7501F6608F6CE4011D627979E1AE4
SHA1:	78363672264D9CD3F72D5C1D3665E1657B1A5071
SHA-256:	37FEDCFFBF73C4EB9F058F47677CB33203A436FF9390E4D38A8E01C9DAD28E0B
SHA-512:	A4CDF92725E1D740758DA4DD28DF5D1131F70CEF46946B173FE6956CC0341F019D7C4FECC3C9605F354E1308858721DADA825B4C19F59C5AD1CE01AB84C46B24
Malicious:	false
Preview:	Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum..Curabitur pretium tincidunt lacus. Nulla gravida orci a odio. Nullam varius, turpis et commodo pharetra, est eros bibendum elit, nec luctus magna felis sollicitudin mauris. Integer in mauris eu nibh euismod gravida. Duis ac tellus et risus vulputate vehicula. Donec lobortis risus a elit. Etiam tempor. Ut ullamcorper, ligula eu tempor congue, eros est euismod turpis, id tincidunt sapien risus a quam. Maecenas fermentum consequat mi. Donec fermentum. Pellentesque malesuada nulla a mi. Duis sapien sem, aliquet nec, commodo eget, consequat quis, neque.

C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\wheel-0.43.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1107
Entropy (8bit):	5.115074330424529
Encrypted:	false
SSDEEP:	24:PWmrRONJHLH0cPP3gtkHw1h39QHOsUv4eOk4/+jvho3nPz:ttONJbbvE/NQHOs5eNS3n7
MD5:	7FFB0DB04527CFE380E4F2726BD05EBF
SHA1:	5B39C45A91A556E5F1599604F1799E4027FA0E60
SHA-256:	30C23618679108F3E8EA1D2A658C7CA417BDFC891C98EF1A89FA4FF0C9828654
SHA-512:	205F284F3A7E8E696C70ED7B856EE98C1671C68893F0952EEC40915A383BC452B99899BDC401F9FE161A1BF9B6E2CEA3BCD90615EEE9173301657A2CE4BAFE14
Malicious:	false
Preview:	MIT License..Copyright (c) 2012 Daniel Holth <dholth@fastmail.fm> and contributors..Permission is hereby granted, free of charge, to any person obtaining a.copy of this software and associated documentation files (the "Software"),.to deal in the Software without restriction, including without limitation.the rights to use, copy, modify, merge, publish, distribute, sublicense,.and/or sell copies of the Software, and to permit persons to whom the.Software is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included.in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL.THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR.OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERW

C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\wheel-0.43.0.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	2153
Entropy (8bit):	5.088249746074878
Encrypted:	false
SSDEEP:	48:DEhpFu5MktjaywDK48d+md+7uT8RfkD1UKd+mOl1Awry:DEhpiMktjayq/7kOfsUzmbYy
MD5:	EBEA27DA14E3F453119DC72D84343E8C
SHA1:	7CEB6DBE498B69ABF4087637C6F500742FF7E2B4
SHA-256:	59BAC22B00A59D3E5608A56B8CF8EFC43831A36B72792EE4389C9CD4669C7841
SHA-512:	A41593939B9325D40CB67FD3F41CD1C9E9978F162487FB469094C41440B5F48016B9A66BE2E6E4A0406D6EEDB25CE4F5A860BA1E3DC924B81F63CEEE3AE31117
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: wheel.Version: 0.43.0.Summary: A built-package format for Python.Keywords: wheel,packaging.Author-email: Daniel Holth <dholth@fastmail.fm>.Maintainer-email: Alex Gr.nholm <alex.gronholm@nextday.fi>.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Requires-Dist: pytest >= 6.0.0 ; extra == "test".Requires-Dist: setuptools >= 65 ; extra == "test".Project-URL: Changelog, https://wheel.readthedocs.io/en/s

C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\wheel-0.43.0.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	4557
Entropy (8bit):	5.714200636114494
Encrypted:	false
SSDEEP:	96:QXVuEmegx01TQIvFCiq9H/H7vp88FxTXiJPkGJP4CWweXQHmnDpMI78IegK5EeZR:QXVxAbYkU4CWweXQHmnDpMeV2BvTRqQF
MD5:	44D352C4997560C7BFB82D9360F5985A
SHA1:	BE58C7B8AB32790384E4E4F20865C4A88414B67A
SHA-256:	783E654742611AF88CD9F00BF01A431A219DB536556E63FF981C7BD673070AC9
SHA-512:	281B1D939A560E6A08D0606E5E8CE15F086B4B45738AB41ED6B5821968DC8D764CD6B25DB6BA562A07018C271ABF17A6BC5A380FAD05696ADF1D11EE2C5749C8
Malicious:	false
Preview:	../../bin/wheel,sha256=cT2EHbrv-J-UyUXu26cDY-0I7RgcruysJeHFanT1Xfo,249..wheel-0.43.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..wheel-0.43.0.dist-info/LICENSE.txt,sha256=MMI2GGeRCPPo6h0qZYx8pBe9_IkcmO8aifpP8MmChlQ,1107..wheel-0.43.0.dist-info/METADATA,sha256=WbrCKwClnT5WCKVrjPjvxDgxo2tyeS7kOJyc1GaceEE,2153..wheel-0.43.0.dist-info/RECORD,,..wheel-0.43.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..wheel-0.43.0.dist-info/WHEEL,sha256=EZbGkh7Ie4PoZfRQ8I0ZuP9VklN_TvcZ6DSE5Uar4z4,81..wheel-0.43.0.dist-info/entry_points.txt,sha256=rTY1BbkPHhkGMm4Q3F0pIzJBzW2kMxoG1oriffvGdA0,104..wheel/__init__.py,sha256=D6jhH00eMzbgrXGAeOwVfD5i-lCAMMycuG1L0useDlo,59..wheel/__main__.py,sha256=NkMUnuTCGcOkgY0IBLgBCVC_BGGcWORx2K8jYGS12UE,455..wheel/__pycache__/__init__.cpython-312.pyc,,..wheel/__pycache__/__main__.cpython-312.pyc,,..wheel/__pycache__/_setuptools_logging.cpython-312.pyc,,..wheel/__pycache__/bdist_wheel.cpython-312.pyc,,..wheel/__pycache

C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\wheel-0.43.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.672346887071811
Encrypted:	false
SSDEEP:	3:RtEeX/QFM+vxP+tPCCfA5I:Rt1Qq2WBB3
MD5:	24019423EA7C0C2DF41C8272A3791E7B
SHA1:	AAE9ECFB44813B68CA525BA7FA0D988615399C86
SHA-256:	1196C6921EC87B83E865F450F08D19B8FF5592537F4EF719E83484E546ABE33E
SHA-512:	09AB8E4DAA9193CFDEE6CF98CCAE9DB0601F3DCD4944D07BF3AE6FA5BCB9DC0DCAFD369DE9A650A38D1B46C758DB0721EBA884446A8A5AD82BB745FD5DB5F9B1
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: flit 3.9.0.Root-Is-Purelib: true.Tag: py3-none-any.

C:\Users\user\AppData\Local\Temp\_MEI39642\setuptools\_vendor\wheel-0.43.0.dist-info\entry_points.txt

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.271713330022269
Encrypted:	false
SSDEEP:	3:1SSAnAYgh+MWTMhk6WjrAM5t5ln:1Jb9WTMhk9jUM5t5ln
MD5:	6180E17C30BAE5B30DB371793FCE0085
SHA1:	E3A12C421562A77D90A13D8539A3A0F4D3228359
SHA-256:	AD363505B90F1E1906326E10DC5D29233241CD6DA4331A06D68AE27DFBC6740D
SHA-512:	69EAE7B1E181D7BA1D3E2864D31E1320625A375E76D3B2FBF8856B3B6515936ACE3138D4D442CABDE7576FCFBCBB0DEED054D90B95CFA1C99829DB12A9031E26
Malicious:	false
Preview:	[console_scripts].wheel=wheel.cli:main..[distutils.commands].bdist_wheel=wheel.bdist_wheel:bdist_wheel..

C:\Users\user\AppData\Local\Temp\_MEI39642\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1540368
Entropy (8bit):	6.577233901213655
Encrypted:	false
SSDEEP:	24576:cmKZpHTv4iPI9FDgJNRs++l8GwLXSz4ih5Z5jWbsxuIl40OwumzuLxIhiE:0rJoDgJNRs+U8GwLXSMIZ5jWb0uIl48R
MD5:	7E632F3263D5049B14F5EDC9E7B8D356
SHA1:	92C5B5F96F1CBA82D73A8F013CBAF125CD0898B8
SHA-256:	66771FBD64E2D3B8514DD0CD319A04CA86CE2926A70F7482DDEC64049E21BE38
SHA-512:	CA1CC67D3EB63BCA3CE59EF34BECCE48042D7F93B807FFCD4155E4C4997DC8B39919AE52AB4E5897AE4DBCB47592C4086FAC690092CAA7AA8D3061FBA7FE04A2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gsX.#.6.#.6.#.6.*j../.6.3.7.!.6.3.5.'.6.3.2.+.6.3.3...6.hj7. .6.#.7...6.k.>.".6.k.6.".6.k..".6.k.4.".6.Rich#.6.........................PE..d.....g.........." ...).0...(.......................................................P....`..............................................#...........`...............R.../...p..X...0...T..............................@............@..X............................text...9........0.................. ..`.rdata..,....@.......4..............@..@.data...`M...0...D..................@....pdata...............\..............@..@.rsrc........`.......8..............@..@.reloc..X....p.......B..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI39642\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	709904
Entropy (8bit):	5.861739047785334
Encrypted:	false
SSDEEP:	12288:FYGdLI/X77mvfldCKGihH32W3cnPSqrUgLIe:FYGW7qNxr3cnPXLIe
MD5:	0902D299A2A487A7B0C2D75862B13640
SHA1:	04BCBD5A11861A03A0D323A8050A677C3A88BE13
SHA-256:	2693C7EE4FBA55DC548F641C0CB94485D0E18596FFEF16541BD43A5104C28B20
SHA-512:	8CBEF5A9F2D24DA1014F8F1CCBDDD997A084A0B04DD56BCB6AC38DDB636D05EF7E4EA7F67A085363AAD3F43D45413914E55BDEF14A662E80BE955E6DFC2FECA3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.............(.....(.....(.....(.....)................).....).....)x....)....Rich..................PE..d.....g.........." ...).B...f......P,..............................................<.....`.........................................P...X................................/..........p...T...........................0...@............`..h............................text....@.......B.................. ..`.rdata...?...`...@...F..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_ARC4.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.640339306680604
Encrypted:	false
SSDEEP:	192:dLklddyTHThob0q/tJRrlDfNYSOcqgYCWt:ZgcdZq/JJD6gRWt
MD5:	BCD8CAAF9342AB891BB1D8DD45EF0098
SHA1:	EE7760BA0FF2548F25D764F000EFBB1332BE6D3E
SHA-256:	78725D2F55B7400A3FCAFECD35AF7AEB253FBC0FFCDF1903016EB0AABD1B4E50
SHA-512:	8B6FB53AECB514769985EBFDAB1B3C739024597D9C35905E04971D5422256546F7F169BF98F9BAF7D9F42A61CFF3EE7A20664989D3000773BF5EDA10CB3A0C24
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...Y..f.........." ................P........................................p............`..........................................'......0(..d....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata..Z.... ......................@..@.data...H....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..(....`.......*..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_Salsa20.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.0194545642425075
Encrypted:	false
SSDEEP:	192:4t/1nCuqaL0kt7AznuRmceS4lDFhAlcqgcLg:F/k1ACln4lDogcLg
MD5:	F19CB847E567A31FAB97435536C7B783
SHA1:	4C8BFE404AF28C1781740E7767619A5E2D2FF2B7
SHA-256:	1ECE1DC94471D6977DBE2CEEBA3764ADF0625E2203D6257F7C781C619D2A3DAD
SHA-512:	382DC205F703FC3E1F072F17F58E321E1A65B86BE7D9D6B07F24A02A156308A7FEC9B1A621BA1F3428FD6BB413D14AE9ECB2A2C8DD62A7659776CFFDEBB6374C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...Z..f.........." ................P.....................................................`..........................................8......H9..d....`.......P..L............p..(....1...............................1..8............0...............................text...h........................... ..`.rdata..r....0......................@..@.data...H....@.......,..............@....pdata..L....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_chacha20.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.037456384995606
Encrypted:	false
SSDEEP:	192:st/1nCuqaL0ktPMn1ENe3erKr5br0YbsiDw6a9lkOcqgRGd:p/kpMIodrXbsiDS95gRGd
MD5:	DC14677EA8A8C933CC41F9CCF2BEDDC1
SHA1:	A6FB87E8F3540743097A467ABE0723247FDAF469
SHA-256:	68F081E96AE08617CF111B21EDED35C1774A5EF1223DF9A161C9445A78F25C73
SHA-512:	3ABA4CFCBBE4B350AB3230D488BD75186427E3AAAF38D19E0E1C7330F16795AD77FB6E26FF39AF29EAF4F5E8C42118CB680F90AFBFCA218AEDA64DC444675BA2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...Z..f.........." ................P.....................................................`......................................... 8.......8..d....`.......P..d............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..d....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..(....p.......2..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_pkcs1_decode.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.09191874780435
Encrypted:	false
SSDEEP:	192:rMVsiXeqVb0lIb0Pj5Jdfpm68WZDInU282tacqgYLg:rM7ali0Pj5JxCaDuUlgYLg
MD5:	C09BB8A30F0F733C81C5C5A3DAD8D76D
SHA1:	46FD3BA87A32D12F4EE14601D1AD73B78EDC81D1
SHA-256:	8A1B751DB47CE7B1D3BD10BEBFFC7442BE4CFB398E96E3B1FF7FB83C88A8953D
SHA-512:	691AC74FAE930E9CEABE782567EFB99C50DD9B8AD607DD7F99A5C7DF2FA2BEB7EDFE2EBB7095A72DA0AE24E688FBABD340EAE8B646D5B8C394FEE8DDD5E60D31
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^:.6?T.6?T.6?T.?G..2?T.dJU.4?T.}GU.5?T.6?U..?T.dJQ.<?T.dJP.>?T.dJW.5?T..J\.7?T..JT.7?T..J..7?T..JV.7?T.Rich6?T.........................PE..d...X..f.........." ................P.....................................................`.........................................`8.......8..d....`.......P..(............p..(....1...............................1..8............0...............................text............................... ..`.rdata..6....0....... ..............@..@.data...x....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_aes.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	6.541423493519083
Encrypted:	false
SSDEEP:	384:f/UlZA5PUEllvxL/7v/iKBt5ByU0xGitqzSEkxGG7+tpKHb/LZ7fr52EkifcMxme:klcR7JriEbwDaS4j990th9VDBV
MD5:	0AB25F99CDAACA6B11F2ECBE8223CAD5
SHA1:	7A881B3F84EF39D97A31283DE6D7B7AE85C8BAE6
SHA-256:	6CE8A60D1AB5ADC186E23E3DE864D7ADF6BDD37E3B0C591FA910763C5C26AF60
SHA-512:	11E89EEF34398DF3B144A0303E08B3A4CAF41A9A8CA618C18135F561731F285F8CF821D81179C2C45F6EEB0E496D9DD3ECF6FF202A3C453C80AFEF8582D06C17
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...V..f.........." .....H...H......P.....................................................`.........................................p...........d...............................0......................................8............`...............................text...xG.......H.................. ..`.rdata.."6...`...8...L..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_aesni.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.367749645917753
Encrypted:	false
SSDEEP:	192:YiJBj5fq/Rk0kPLhOZ3UucCWuSKPEkA2bD9JXx03cqg5YUMLgs:/k1kTMZEjCWNaA2DTx0g5YUMLg
MD5:	B6EA675C3A35CD6400A7ECF2FB9530D1
SHA1:	0E41751AA48108D7924B0A70A86031DDE799D7D6
SHA-256:	76EF4C1759B5553550AB652B84F8E158BA8F34F29FD090393815F06A1C1DC59D
SHA-512:	E31FD33E1ED6D4DA3957320250282CFD9EB3A64F12DE4BD2DFE3410F66725164D96B27CAA34C501D1A535A5A2442D5F070650FD3014B4B92624EE00F1C3F3197
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.z.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...V..f.........." ......... ......P.....................................................`..........................................9......$:..d....`.......P...............p..(....1...............................1..8............0.. ............................text............................... ..`.rdata.......0......."..............@..@.data...8....@.......2..............@....pdata.......P.......4..............@..@.rsrc........`.......8..............@..@.reloc..(....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_arc2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.41148259289073
Encrypted:	false
SSDEEP:	192:w3d9FkHaz0EJvrj+CYuz7ucc9dG7otDr22KcqgOiewZjW:YkHEJzj+X6769lDzagO/w
MD5:	F14E1AA2590D621BE8C10321B2C43132
SHA1:	FD84D11619DFFDF82C563E45B48F82099D9E3130
SHA-256:	FCE70B3DAFB39C6A4DB85D2D662CB9EB9C4861AA648AD7436E7F65663345D177
SHA-512:	A86B9DF163007277D26F2F732ECAB9DBCA8E860F8B5809784F46702D4CEA198824FDEF6AB98BA7DDC281E8791C10EABA002ABDA6F975323B36D5967E0443C1E4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." ....."... ......P.....................................................`.........................................pI.......J..d....p.......`..................(....B...............................B..8............@...............................text...( .......".................. ..`.rdata..<....@.......&..............@..@.data...H....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..(............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_blowfish.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20992
Entropy (8bit):	6.041302713678401
Encrypted:	false
SSDEEP:	384:kUX0JfbRz5MLZA0nmwzMDYpJgLa0Mp8NDBcxgprAM:6NbRzWXwDqgLa1uBfP
MD5:	B127CAE435AEB8A2A37D2A1BC1C27282
SHA1:	2A7BF8BF7F24B2381370BA6B41FB640EE42BDCCD
SHA-256:	538B1253B5929254ED92129FA0957DB26CDDF34A8372BA0BF19D20D01549ADA3
SHA-512:	4FE027E46D5132CA63973C67BD5394F2AC74DD4BBCFE93CB16136FAB4B6BF67BECB5A0D4CA359FF9426DA63CA81F793BBF1B79C8A9D8372C53DCB5796D17367E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." .....$...0......P.....................................................`.........................................0Y.......Y..d............p..................0....Q...............................R..8............@...............................text....".......$.................. ..`.rdata.......@... ...(..............@..@.data...H....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..0............P..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_cast.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	6.530656045206549
Encrypted:	false
SSDEEP:	384:cEDwUBi9SPu71omZXmrfXA+UA10ol31tuXVYdAgYj:FsUBXmoEXmrXA+NNxWFYfo
MD5:	2E15AA6F97ED618A3236CFA920988142
SHA1:	A9D556D54519D3E91FA19A936ED291A33C0D1141
SHA-256:	516C5EA47A7B9A166F2226ECBA79075F1A35EFFF14D87E00006B34496173BB78
SHA-512:	A6C75C4A285753CC94E45500E8DD6B6C7574FB7F610FF65667F1BEC8D8B413FC10514B7D62F196C2B8D017C308C5E19E2AEF918021FA81D0CB3D8CED37D8549A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...W..f.........." .....$...>............................................................`..........................................h.......i..d...............................0....a...............................a..8............@...............................text....#.......$.................. ..`.rdata..:-...@.......(..............@..@.data...H....p.......V..............@....pdata...............X..............@..@.rsrc................\..............@..@.reloc..0............^..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_cbc.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.7080156150187396
Encrypted:	false
SSDEEP:	192:lF/1n7Guqaj0ktfEJwX1fYwCODR3lncqg0Gd6l:RGXkJEm1feODxDg0Gd6
MD5:	40390F2113DC2A9D6CFAE7127F6BA329
SHA1:	9C886C33A20B3F76B37AA9B10A6954F3C8981772
SHA-256:	6BA9C910F755885E4D356C798A4DD32D2803EA4CFABB3D56165B3017D0491AE2
SHA-512:	617B963816838D649C212C5021D7D0C58839A85D4D33BBAF72C0EC6ECD98B609080E9E57AF06FA558FF302660619BE57CC974282826AB9F21AE0D80FBAA831A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...X..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..(....p......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_cfb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	5.159963979391524
Encrypted:	false
SSDEEP:	192:kblRgfeqfz0RP767fB4A84DgVD6eDcqgzbkLgmf:BwRj67p84Dg6eVgzbkLgmf
MD5:	899895C0ED6830C4C9A3328CC7DF95B6
SHA1:	C02F14EBDA8B631195068266BA20E03210ABEABC
SHA-256:	18D568C7BE3E04F4E6026D12B09B1FA3FAE50FF29AC3DEAF861F3C181653E691
SHA-512:	0B4C50E40AF92BC9589668E13DF417244274F46F5A66E1FC7D1D59BC281969BA319305BECEA119385F01CC4603439E4B37AFA2CF90645425210848A02839E3E7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^..6?..6?..6?..?G..2?..dJ..4?..}G..5?..6?...?..dJ..<?..dJ..>?..dJ..5?...J..7?...J..7?...Jk.7?...J..7?..Rich6?..................PE..d...Y..f.........." ................P.....................................................`..........................................8......x9..d....`.......P..d............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......(..............@....pdata..d....P.......*..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_ctr.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.270418334522813
Encrypted:	false
SSDEEP:	192:vktJ1gifqQGRk0IP73AdXdmEEEEEm9uhiFEQayDZVMcqgnF6+6Lg:vkdU1ID3AdXd49urQPDggnUjLg
MD5:	C4C525B081F8A0927091178F5F2EE103
SHA1:	A1F17B5EA430ADE174D02ECC0B3CB79DBF619900
SHA-256:	4D86A90B2E20CDE099D6122C49A72BAE081F60EB2EEA0F76E740BE6C41DA6749
SHA-512:	7C06E3E6261427BC6E654B2B53518C7EAA5F860A47AE8E80DC3F8F0FED91E122CB2D4632188DC44123FB759749B5425F426CD1153A8F84485EF0491002B26555
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^z.6?..6?..6?..?G..2?..dJ..4?..}G..5?..6?...?..dJ..<?..dJ..>?..dJ..5?...J..7?...J..7?...J..7?...J..7?..Rich6?..........................PE..d...Y..f.........." ......... ......P.....................................................`.........................................`9.......:..d....`.......P...............p..(....1...............................1..8............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..(....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_des.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	56832
Entropy (8bit):	4.231032526864278
Encrypted:	false
SSDEEP:	384:0qcmHBeNL1dO/qHkpnYcZiGKdZHDLY84vnKAnK2rZA21agVF:fEiqHHx4vZDV
MD5:	F9E266F763175B8F6FD4154275F8E2F0
SHA1:	8BE457700D58356BC2FA7390940611709A0E5473
SHA-256:	14D2799BE604CBDC668FDE8834A896EEE69DAE0E0D43B37289FCCBA35CEF29EC
SHA-512:	EB3E37A3C3FF8A65DEF6FA20941C8672A8197A41977E35AE2DC6551B5587B84C2703758320559F2C93C0531AD5C9D0F6C36EC5037669DC5CE78EB3367D89877B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PK..1%..1%..1%..I...1%.D$..1%.I$..1%..1$..1%.D ..1%.D!..1%.D&..1%..D-..1%..D%..1%..D...1%..D'..1%.Rich.1%.........................PE..d...X..f.........." .....6...................................................0............`.................................................\...d...............l............ ..0... ...............................@...8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...H...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_des3.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.252429732285762
Encrypted:	false
SSDEEP:	384:J4cmHBeIzNweVy/CHkRnYcZiGKdZHDLq80vnKAnKBrZGsURygUX:GEO6CHnX0vZb7
MD5:	DECF524B2D53FCD7D4FA726F00B3E5FC
SHA1:	E87C6ED4004F2772B888C5B5758AA75FE99D2F6F
SHA-256:	58F7053EE70467D3384C73F299C0DFD63EEF9744D61D1980D9D2518974CA92D4
SHA-512:	EAFF4FD80843743E61CE635FBADF4E5D9CF2C3E97F3C48350BD9E755F4423AC6867F9FE8746BD5C54E1402B18E8A55AEEF7ACA098C7CF4186DC4C1235EB35DF2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PK..1%..1%..1%..I...1%.D$..1%.I$..1%..1$..1%.D ..1%.D!..1%.D&..1%..D-..1%..D%..1%..D...1%..D'..1%.Rich.1%.........................PE..d...X..f.........." .....8...................................................0............`.....................................................d............................ ..0... ...............................@...8............P...............................text...X7.......8.................. ..`.rdata......P.......<..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_ecb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.690163963718492
Encrypted:	false
SSDEEP:	192:Yddz2KTnThIz0qfteRY4zp+D3PLui8p1cqgHCWt:k2E9RqfCXp+D3juRpLgiWt
MD5:	80BB1E0E06ACAF03A0B1D4EF30D14BE7
SHA1:	B20CAC0D2F3CD803D98A2E8A25FBF65884B0B619
SHA-256:	5D1C2C60C4E571B88F27D4AE7D22494BED57D5EC91939E5716AFA3EA7F6871F6
SHA-512:	2A13AB6715B818AD62267AB51E55CD54714AEBF21EC9EA61C2AEFD56017DC84A6B360D024F8682A2E105582B9C5FE892ECEBD2BEF8A492279B19FFD84BC83FA5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...X..f.........." ................P........................................p............`.........................................0'.......'..P....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_eksblowfish.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	6.1215844022564285
Encrypted:	false
SSDEEP:	384:nUX0JfbRwUtPMbNv37t6K5jwbDEpJgLa0Mp8xCkgJrAm:jNbRw8EbxwKBwbD+gLa1nh
MD5:	3727271FE04ECB6D5E49E936095E95BC
SHA1:	46182698689A849A8C210A8BF571D5F574C6F5B1
SHA-256:	3AF5B35DCD5A3B6C7E88CEE53F355AAFFF40F2C21DABD4DE27DBB57D1A29B63B
SHA-512:	5BED1F4DF678FE90B8E3F1B7C4F68198463E579209B079CB4A40DCAC01CE26AA2417DBE029B196F6F2C6AFAD560E2D1AF9F089ABE37EAD121CA10EE69D9659ED
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." .....(...0......P.....................................................`.........................................0Y.......Y..d............p..................0....Q...............................R..8............@...............................text...H'.......(.................. ..`.rdata.......@... ...,..............@..@.data...H....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..0............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_ocb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.293810509074883
Encrypted:	false
SSDEEP:	384:4PHoDUntQjNB+/yw/pogeXOvXoTezczOo3p9iJgDQ3iNgnVbwhA:dUOhBcDRogeXOfoTezcio3pUJgDQ3i+
MD5:	78AEF441C9152A17DD4DC40C7CC9DF69
SHA1:	6BB6F8426AFA6522E647DFC82B1B64FAF3A9781F
SHA-256:	56E4E4B156295F1AAA22ECB5481841DE2A9EB84845A16E12A7C18C7C3B05B707
SHA-512:	27B27E77BE81B29D42359FE28531225383860BCD19A79044090C4EA58D9F98009A254BF63585979C60B3134D47B8233941ABB354A291F23C8641A4961FA33107
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...Y..f.........." .....(... ......P.....................................................`.........................................pI......lJ..d....p.......`..................(....A...............................A..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..(............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Cipher\_raw_ofb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	4.862619033406922
Encrypted:	false
SSDEEP:	96:0Ga+F/1NtJ9t4udqaj01rlALnNNJSS2sP+YEdMN+F9FdKaWDULk+VOmWbucX6gR7:PF/1n7Guqaj0ktfEON+bMDUlJcqg0Gd
MD5:	19E0ABF76B274C12FF624A16713F4999
SHA1:	A4B370F556B925F7126BF87F70263D1705C3A0DB
SHA-256:	D9FDA05AE16C5387AB46DC728C6EDCE6A3D0A9E1ABDD7ACB8B32FC2A17BE6F13
SHA-512:	D03033EA5CF37641FBD802EBEB5019CAEF33C9A78E01519FEA88F87E773DCA92C80B74BA80429B530694DAD0BFA3F043A7104234C7C961E18D48019D90277C8E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...Y..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......$..............@....pdata..X....P.......&..............@..@.rsrc........`.......*..............@..@.reloc..(....p.......,..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_BLAKE2b.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.227045547076371
Encrypted:	false
SSDEEP:	192:saF/1n7Guqaj0ktrE8o2o+V2rQnjt1wmg9jtveDn4clG6VcqgOvgdd:swGXkFE8Zo+AojO9jZeDf5rgOvgz
MD5:	309D6F6B0DD022EBD9214F445CAC7BB9
SHA1:	ABD22690B7AD77782CFC0D2393D0C038E16070B0
SHA-256:	4FBE188C20FB578D4B66349D50AA6FFE4AB86844FB6427C57738F36780D1E2E2
SHA-512:	D1951FE92F83E7774E8E877815BED6E6216D56EF18B7F1C369D678CB6E1814243659E9FA7ABC0D22FB5B34A9D50A51D5A89BA00AE1FDD32157FD0FF9902FB4B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..@............p..(....2...............................2..8............0...............................text...x........................... ..`.rdata.......0....... ..............@..@.data...H....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_BLAKE2s.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.176369829782773
Encrypted:	false
SSDEEP:	192:rF/1n7Guqaj0ktrESsrUW+SBjsK5tcQmEreD2mf1AoxkVcqgOvgXQ:rGXkFE/UW575tA2eDp1Ao2rgOvgX
MD5:	D54FEB9A270B212B0CCB1937C660678A
SHA1:	224259E5B684C7AC8D79464E51503D302390C5C9
SHA-256:	032B83F1003A796465255D9B246050A196488BAC1260F628913E536314AFDED4
SHA-512:	29955A6569CA6D039B35BB40C56AEEB75FC765600525D0B469F72C97945970A428951BAB4AF9CD21B3161D5BBA932F853778E2674CA83B14F7ABA009FA53566F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..@............p..(....2...............................2..8............0...............................text...h........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata..@....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_MD2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.047563322651927
Encrypted:	false
SSDEEP:	384:6alCvH32p3/2pnEhKnLg9yH8puzoFaPERIQAvHD9CIg5kP:5CvHmp3OpnEhmLg9yH8puzoFaPERIQgI
MD5:	52DCD4151A9177CF685BE4DF48EA9606
SHA1:	F444A4A5CBAE9422B408420115F0D3FF973C9705
SHA-256:	D54375DC0652358A6E4E744F1A0EAEEAD87ACCD391A20D6FF324FE14E988A122
SHA-512:	64C54B89F2637759309ECC6655831C3A6755924ED70CBC51614061542EB9BA9A8AECF6951EB3AB92447247DC4D7D846C88F4957DBBE4484A9AB934343EE27178
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...Q..f.........." ......... ......P.....................................................`.........................................@9.......9..d....`.......P..(............p..(....2...............................2..8............0...............................text...X........................... ..`.rdata..@....0......................@..@.data...x....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_MD4.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.09893680790018
Encrypted:	false
SSDEEP:	192:xsiXeqVb0lwbH4P01sAD7I/9hAkwDWzBEbcqgqLg:valqH4M1sAD7KvpwDFtgqLg
MD5:	F929B1A3997427191E07CF52AC883054
SHA1:	C5EA5B68586C2FB09E5FDD20D4DD616D06F5CBA6
SHA-256:	5386908173074FABD95BF269A9DF0A4E1B21C0576923186F449ABF4A820F6A8E
SHA-512:	2C79DBCE2C21214D979AB86DD989D41A3AFA7FCB7F3B79BA9974E2EE8F832DD7CA20C1C87C0C380DB037D776FE6D0851D60AD55A08AFDE0003B7E59214DD2F3B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ................P.....................................................`.........................................08.......8..d....`.......P..(............p..(....1...............................2..8............0...............................text............................... ..`.rdata..0....0......................@..@.data........@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_MD5.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.451865349855574
Encrypted:	false
SSDEEP:	384:KfwogDHER1wuiDSyoGTgDZOviNgEPrLg:ugDHELwuiDScTgDwi+EP
MD5:	1FA5E257A85D16E916E9C22984412871
SHA1:	1AC8EE98AD0A715A1B40AD25D2E8007CDC19871F
SHA-256:	D87A9B7CAD4C451D916B399B19298DC46AAACC085833C0793092641C00334B8E
SHA-512:	E4205355B647C6E28B7E4722328F51DC2EB3A109E9D9B90F7C53D7A80A5A4B10E40ABDDAB1BA151E73EF3EB56941F843535663F42DCE264830E6E17BB659EADF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ..... ..........P.....................................................`..........................................8......`9..d....`.......P..X............p..(....1...............................1..8............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..(....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_RIPEMD160.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.104245335186531
Encrypted:	false
SSDEEP:	192:3F/1n7Guqaj0kt7/Ev9kt0Qwac6QzD8iD0QocqgI4G0S:nGXkd/EvGt9wacNDvAgI4v
MD5:	FAD578A026F280C1AE6F787B1FA30129
SHA1:	9A3E93818A104314E172A304C3D117B6A66BEB55
SHA-256:	74A1FF0801F4704158684267CD8E123F83FB6334FE522C1890AC4A0926F80AB1
SHA-512:	ACF8F5B382F3B4C07386505BBDCAF625D13BCC10AA93ED641833E3548261B0AD1063E2F59BE2FCD2AFAF3D315CB3FC5EB629CEFC168B33CFD65A3A6F1120F7FF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ......... ......P.....................................................`..........................................9.......:..d....`.......P...............p..(...@3..............................`3..8............0...............................text...H........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata.......P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA1.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.671305741258107
Encrypted:	false
SSDEEP:	384:APHoDUntQj0sKhDOJ+0QPSfu6rofDjiZzgE+kbwb:VUOYsKNO466DjoUE+
MD5:	556E6D0E5F8E4DA74C2780481105D543
SHA1:	7A49CDEF738E9FE9CD6CD62B0F74EAD1A1774A33
SHA-256:	247B0885CF83375211861F37B6DD1376AED5131D621EE0137A60FE7910E40F8B
SHA-512:	28FA0CE6BDBCC5E95B80AADC284C12658EF0C2BE63421AF5627776A55050EE0EA0345E30A15B744FC2B2F5B1B1BBB61E4881F27F6E3E863EBAAEED1073F4CDA1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h..9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ...............P.....................................................`..........................................H......hI..d....p.......`..X...............(....A...............................A..8............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........P.......<..............@....pdata..X....`.......>..............@..@.rsrc........p.......B..............@..@.reloc..(............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA224.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.878701941774916
Encrypted:	false
SSDEEP:	384:EJWo4IRCGHX1KXqHGcvYHp5RYcARQOj4MSTjqgPmJD1OhgkxEv:EcIRnHX1P/YtswvaD1Rk
MD5:	2F2655A7BBFE08D43013EDDA27E77904
SHA1:	33D51B6C423E094BE3E34E5621E175329A0C0914
SHA-256:	C734ABBD95EC120CB315C43021C0E1EB1BF2295AF9F1C24587334C3FCE4A5BE1
SHA-512:	8AF99ACC969B0E560022F75A0CDCAA85D0BDEADADEACD59DD0C4500F94A5843EA0D4107789C1A613181B1F4E5252134A485EF6B1D9D83CDB5676C5FEE4D49B90
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...S..f.........." .....6... ......P.....................................................`.........................................@Z......([..d............p..................(....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..x....P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..(............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA256.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.881781476285865
Encrypted:	false
SSDEEP:	384:EJWo4IRCGHXfKXqHGcvYHp5RYcARQOj4MSTjqgPmJD12gkxEv:EcIRnHXfP/YtswvaD1zk
MD5:	CDE035B8AB3D046B1CE37EEE7EE91FA0
SHA1:	4298B62ED67C8D4F731D1B33E68D7DC9A58487FF
SHA-256:	16BEA322D994A553B293A724B57293D57DA62BC7EAF41F287956B306C13FD972
SHA-512:	C44FDEE5A210459CE4557351E56B2D357FD4937F8EC8EACEAB842FEE29761F66C2262FCBAAC837F39C859C67FA0E23D13E0F60B3AE59BE29EB9D8ABAB0A572BB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...S..f.........." .....6... ......P.....................................................`.........................................@Z......([..d............p..................(....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..x....P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..(............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA384.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.837887867708438
Encrypted:	false
SSDEEP:	768:e839Cc4itui0gel9soFdkO66MlPGXmXcyYDTzks:Ns4u/FZ6nPxMLDvk
MD5:	999D431197D7E06A30E0810F1F910B9A
SHA1:	9BFF781221BCFFD8E55485A08627EC2A37363C96
SHA-256:	AB242B9C9FB662C6F7CB57F7648F33983D6FA3BB0683C5D4329EC2CC51E8C875
SHA-512:	A5DD92DD471ADB44EEFE5919EF9CA3978724E21174DF5B3A9C1F0AB462F928E5A46A460D02417DB7522F5DE3BFEED5EEE6B1EAFAF3E621722E85E72675F7096F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...T..f.........." .....H..."......P.....................................................`..........................................k.......l..d...............................(...pd...............................d..8............`...............................text....F.......H.................. ..`.rdata.......`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_SHA512.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.895310340516013
Encrypted:	false
SSDEEP:	768:lcX9Nf4ttui0gel9soFdkO66MlPGXmXc/vDTOvk:a38u/FZ6nPxM3DAk
MD5:	0931ABBF3AED459B1A2138B551B1D3BB
SHA1:	9EC0296DDAF574A89766A2EC035FC30073863AB0
SHA-256:	1729A0DC6B80CB7A3C07372B98B10D3C6C613EA645240878E1FDE6A992FA06F1
SHA-512:	9F970BB4D10B94F525DDDDE307C7DA5E672BBFB3A3866A34B89B56ADA99476724FD690A4396857182749294F67F36DB471A048789FB715D2A7DAF46917FC1947
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...T..f.........." .....H..."......P.....................................................`.........................................@l......(m..d...............................(....d...............................e..8............`...............................text...hG.......H.................. ..`.rdata..x....`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_ghash_clmul.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.967737129255606
Encrypted:	false
SSDEEP:	192:dMpWt/1nCuqaL0kt7TsEx2fiTgDZqGF0T7cqgkLgJ:k/k1Ts64DDJyBgkLg
MD5:	5F057A380BACBA4EF59C0611549C0E02
SHA1:	4B758D18372D71F0AA38075F073722A55B897F71
SHA-256:	BCB14DAC6C87C24269D3E60C46B49EFFB1360F714C353318F5BBAA48C79EC290
SHA-512:	E1C99E224745B86EE55822C1DBCB4555A11EC31B72D87B46514917EB61E0258A1C6D38C4F592969C17EB4F0F74DA04BCECA31CF1622720E95F0F20E9631792E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...V..f.........." ................P.....................................................`.........................................P8.......8..d....`.......P...............p..(....1...............................1..8............0...............................text............................... ..`.rdata..2....0......................@..@.data...H....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_ghash_portable.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.007867576025166
Encrypted:	false
SSDEEP:	192:bMt/1nCuqaL0ktPH0T7fwtF4zDn2rGacqgRGd:1/kpU3Yv4zDXqgRGd
MD5:	49BCA1B7DF076D1A550EE1B7ED3BD997
SHA1:	47609C7102F5B1BCA16C6BAD4AE22CE0B8AEE9E9
SHA-256:	49E15461DCB76690139E71E9359F7FCF92269DCCA78E3BFE9ACB90C6271080B2
SHA-512:	8574D7FA133B72A4A8D1D7D9FDB61053BC88C2D238B7AC7D519BE19972B658C44EA1DE433885E3206927C75DD5D1028F74999E048AB73189585B87630F865466
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...V..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..(....p.......2..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_keccak.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.226023387740053
Encrypted:	false
SSDEEP:	384:rfRKTN+HLjRskTdf4WazSTkwjEvuY2bylHDiYIgovg:mcHfRl5pauoSjy5DiE
MD5:	CB5CFDD4241060E99118DEEC6C931CCC
SHA1:	1E7FED96CF26C9F4730A4621CA9D18CECE3E0BCE
SHA-256:	A8F809B6A417AF99B75EEEEA3ECD16BDA153CBDA4FFAB6E35CE1E8C884D899C4
SHA-512:	8A89E3563C14B81353D251F9F019D8CBF07CB98F78452B8522413C7478A0D77B9ABF2134E4438145D6363CDA39721D2BAE8AD13D1CDACCBB5026619D95F931CF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...U..f.........." ..... ... ......P.....................................................`..........................................9.......9..d....`.......P..X............p..(...p2...............................2..8............0...............................text............ .................. ..`.rdata..@....0.......$..............@..@.data........@.......4..............@....pdata..X....P.......6..............@..@.rsrc........`.......:..............@..@.reloc..(....p.......<..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Hash\_poly1305.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.262055670423592
Encrypted:	false
SSDEEP:	192:C/ZN2eq/b04PAHH41F6fnVS0sVn+5CA5Z1cD66WGcqgFjLg:vI4IHHaQfSVnCZyDImgFjLg
MD5:	18D2D96980802189B23893820714DA90
SHA1:	5DEE494D25EB79038CBC2803163E2EF69E68274C
SHA-256:	C2FD98C677436260ACB9147766258CB99780A007114AED37C87893DF1CF1A717
SHA-512:	0317B65D8F292332C5457A6B15A77548BE5B2705F34BB8F4415046E3E778580ABD17B233E6CC2755C991247E0E65B27B5634465646715657B246483817CACEB7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...V..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..\|............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......."..............@..@.data........@.......0..............@....pdata..\|....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..(....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Math\_modexp.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.913843738203007
Encrypted:	false
SSDEEP:	384:dspbXtHQY4ubrttQza9CHnZXQsnecAlOF0qZLAXxQI3Sya6XPpMg3Yx8MnDcCPSq:7Y44UagH6cAFCLUSYpMg3YDzPo5kG9G
MD5:	EF472BA63FD22922CA704B1E7B95A29E
SHA1:	700B68E7EF95514D5E94D3C6B10884E1E187ACD8
SHA-256:	66EEF4E6E0CEEEF2C23A758BFBEDAE7C16282FC93D0A56ACAFC40E871AC3F01C
SHA-512:	DC2060531C4153C43ABF30843BCB5F8FA082345CA1BB57F9AC8695EDDB28FF9FDA8132B6B6C67260F779D95FCADCAE2811091BCA300AB1E041FAE6CC7B50ABD8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...^..f.........." .....`...0......`.....................................................`..........................................~..\|...L...d...............<...............(....q...............................q..8............p..(............................text...X^.......`.................. ..`.rdata.......p.......d..............@..@.data................x..............@....pdata..<...........................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Protocol\_scrypt.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.735350805948923
Encrypted:	false
SSDEEP:	192:rhsC3eqv6b0q3OQ3rHu5bc64OhD2I/p3cqgONLg:r/Hq3jHuY64OhDJJgONLg
MD5:	3B1CE70B0193B02C437678F13A335932
SHA1:	063BFD5A32441ED883409AAD17285CE405977D1F
SHA-256:	EB2950B6A2185E87C5318B55132DFE5774A5A579259AB50A7935A7FB143EA7B1
SHA-512:	0E02187F17DFCFD323F2F0E62FBFE35F326DCF9F119FC8B15066AFAEEE4EB7078184BC85D571B555E9E67A2DD909EC12D8A67E3D075E9B1283813EF274E05C0D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^:.6?T.6?T.6?T.?G..2?T.dJU.4?T.}GU.5?T.6?U..?T.dJQ.<?T.dJP.>?T.dJW.5?T..J\.7?T..JT.7?T..J..7?T..JV.7?T.Rich6?T.........................PE..d...Z..f.........." ................P.....................................................`..........................................8..d....8..d....`.......P..4............p..(....1...............................1..8............0...............................text...H........................... ..`.rdata..0....0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..(....p......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\PublicKey\_curve25519.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	5.705606408072877
Encrypted:	false
SSDEEP:	384:19BcRxBmau38CYIl9bhgIW0mvufueNr359/tjGGDEFSegqrA:NcRy38J+9dmvufFtaGDV
MD5:	FF33C306434DEC51D39C7BF1663E25DA
SHA1:	665FCF47501F1481534597C1EAC2A52886EF0526
SHA-256:	D0E3B6A2D0E073B2D9F0FCDB051727007943A17A4CA966D75EBA37BECDBA6152
SHA-512:	66A909DC9C3B7BD4050AA507CD89B0B3A661C85D33C881522EC9568744953B698722C1CBFF093F9CBCD6119BD527FECAB05A67F2E32EC479BE47AFFA4377362C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...\..f.........." .....6...$......P.....................................................`.........................................`Y......`Z..d............p..................(....R..............................0R..8............P...............................text...(5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......P..............@..@.rsrc................T..............@..@.reloc..(............V..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\PublicKey\_curve448.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	6.0189903352673655
Encrypted:	false
SSDEEP:	1536:Jfju4GgRMgWWnEDZiECgd/iwOXUQdbhov0Clb8Cx4hpK8ithLFIDullRPwDHxXOa:pXRMgWiEDZiECgd/iwOXUQdbhov0ClbU
MD5:	F267BF4256F4105DAD0D3E59023011ED
SHA1:	9BC6CA0F375CE49D5787C909D290C07302F58DA6
SHA-256:	1DDE8BE64164FF96B2BAB88291042EB39197D118422BEE56EB2846E7A2D2F010
SHA-512:	A335AF4DBF1658556ED5DC13EE741419446F7DAEC6BD2688B626A803FA5DD76463D6367C224E0B79B17193735E2C74BA417C26822DAEEF05AC3BAB1588E2DE83
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...\..f.........." .........8......`........................................P............`.............................................0.......d....0....... ..$............@..(.......................................8............................................text...8........................... ..`.rdata..............................@..@.data...............................@....pdata..$.... ......................@..@.rsrc........0......................@..@.reloc..(....@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\PublicKey\_ec_ws.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	770560
Entropy (8bit):	7.613224993327352
Encrypted:	false
SSDEEP:	12288:XtIrHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h:XtIrHoxJFf1p34hcrn5Go9yQO6
MD5:	1EFD7F7CB1C277416011DE6F09C355AF
SHA1:	C0F97652AC2703C325AB9F20826A6F84C63532F2
SHA-256:	AB45FA80A68DB1635D41DC1A4AAD980E6716DAC8C1778CB5F30CDB013B7DF6E6
SHA-512:	2EC4B88A1957733043BBD63CEAA6F5643D446DB607B3267FAD1EC611E6B0AF697056598AAC2AE5D44AB2B9396811D183C32BCE5A0FF34E583193A417D1C5226B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.. .. .. ... .. ..!.. ..!.. .. .. ..!.. ..!.. ..!.. \..!.. \..!.. \.r .. \..!.. Rich.. ................PE..d...[..f.........." ................`.....................................................`.............................................h.......d...............................0......................................8...............(............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\PublicKey\_ed25519.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26112
Entropy (8bit):	5.8551858881598795
Encrypted:	false
SSDEEP:	384:BczadRwoF2MZ81n0XTyMCYIl9bhgIW0mv8aeadRcwRwftjGLD2pRQNgQQ77k:2udRf2MuMJ+9dmv8aea34taLDcfQ
MD5:	C5FB377F736ED731B5578F57BB765F7A
SHA1:	5BA51E11F4DE1CAEDEBA0F7D4D10EC62EC109E01
SHA-256:	32073DF3D5C85ABCE7D370D6E341EF163A8350F6A9EDC775C39A23856CCFDD53
SHA-512:	D361BCDAF2C700D5A4AC956D96E00961432C05A1B692FC870DB53A90F233A6D24AA0C3BE99E40BD8E5B7C6C1B2BCDCDCFC545292EF321486FFC71C5EA7203E6A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...]..f.........." .....B...&......P.....................................................`..........................................i..0....k..d...............................(... b..............................@b..8............`...............................text....A.......B.................. ..`.rdata..P....`.......F..............@..@.data........p.......V..............@....pdata...............^..............@..@.rsrc................b..............@..@.reloc..(............d..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\PublicKey\_ed448.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84992
Entropy (8bit):	6.064677498000638
Encrypted:	false
SSDEEP:	1536:BrYNvxcZeLrIeNs2qkTwe57DsuP45PqAqVDK9agdUiwOXyQdDrov0slb8gx4TBKW:Br4vxcZeLrIeN1TvHsuP45yAqVDK9ag3
MD5:	8A0C0AA820E98E83AC9B665A9FD19EAF
SHA1:	6BF5A14E94D81A55A164339F60927D5BF1BAD5C4
SHA-256:	4EE3D122DCFFE78E6E7E76EE04C38D3DC6A066E522EE9F7AF34A09649A3628B1
SHA-512:	52496AE7439458DEDB58A65DF9FFDCC3A7F31FC36FE7202FB43570F9BB03ABC0565F5EF32E5E6C048ED3EBC33018C19712E58FF43806119B2FB5918612299E7E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...^..f.........." .........8......`.....................................................`..........................................C..h...HE..d....p.......`..l...............(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata..l....`.......>..............@..@.rsrc........p.......H..............@..@.reloc..(............J..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Util\_cpuid_c.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.675380950473425
Encrypted:	false
SSDEEP:	96:frQRpBddzAvzrqTOy/ThIz014mlxuLnkC75JiSBhsPeSztllIDpqf4AZaRcX6gnO:Qddz2KTnThIz0qfteRIDgRWcqgnCWt
MD5:	44B930B89CE905DB4716A548C3DB8DEE
SHA1:	948CBFF12A243C8D17A7ACD3C632EE232DF0F0ED
SHA-256:	921C2D55179C0968535B20E9FD7AF55AD29F4CE4CF87A90FE258C257E2673AA5
SHA-512:	79DF755BE8B01D576557A4CB3F3200E5EE1EDE21809047ABB9FF8D578C535AC1EA0277EDA97109839A7607AF043019F2C297E767441C7E11F81FDC87FD1B6EFC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...X..f.........." ................P........................................p............`.........................................@'..\|....'..P....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\Crypto\Util\_strxor.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.625428549874022
Encrypted:	false
SSDEEP:	96:flipBddzAvzrqTOy/ThIz014mlxuLnkC75JiSBhsPeSzteXuDVZqYNIfcX6gHCWx:Cddz2KTnThIz0qfteR5DVwYkcqgHCWt
MD5:	F24F9356A6BDD29B9EF67509A8BC3A96
SHA1:	A26946E938304B4E993872C6721EB8CC1DCBE43B
SHA-256:	034BB8EFE3068763D32C404C178BD88099192C707A36F5351F7FDB63249C7F81
SHA-512:	C4D3F92D7558BE1A714388C72F5992165DD7A9E1B4FA83B882536030542D93FDAD9148C981F76FFF7868192B301AC9256EDB8C3D5CE5A1A2ACAC183F96C1028B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...Z..f.........." ................P........................................p............`......................................... '..t....'..P....P.......@...............`..(....!...............................!..8............ ...............................text...h........................... ..`.rdata..`.... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120400
Entropy (8bit):	6.6017475353076716
Encrypted:	false
SSDEEP:	1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
MD5:	862F820C3251E4CA6FC0AC00E4092239
SHA1:	EF96D84B253041B090C243594F90938E9A487A9A
SHA-256:	36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
SHA-512:	2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............\|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	6.701724666218339
Encrypted:	false
SSDEEP:	768:ApzzO6ujT3MbR3v0Cz6SR8q83yaFdWr9zRcmgEl6U9zSC:9q/oGw3fFdwzRcmZFzSC
MD5:	68156F41AE9A04D89BB6625A5CD222D4
SHA1:	3BE29D5C53808186EBA3A024BE377EE6F267C983
SHA-256:	82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
SHA-512:	F7BF8AD7CD8B450050310952C56F6A20B378A972C822CCC253EF3D7381B56FFB3CA6CE3323BEA9872674ED1C02017F78AB31E9EB9927FC6B3CBA957C247E5D57
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.{...{...{...0...y.......y...r.H.p...{...H.......\|.......`.......~.......z.....$.z.......z...Rich{...........PE..d...l0.?.........." ...).<...8.......@...............................................b....`A........................................pm.......m..x....................r..PP......D....c..p...........................`b..@............P..`............................text....;.......<.................. ..`.rdata.."#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\_asyncio.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70928
Entropy (8bit):	6.242470629630265
Encrypted:	false
SSDEEP:	768:FCIB0WWuqkJS86D6rznO6uqM+lY5ZkesIcydIJvn/5YiSyvT2ETh:FCY0WStDwnOLYY5ZkeddIJvnx7Sy75h
MD5:	80083B99812171FEA682B1CF38026816
SHA1:	365FB5B0C652923875E1C7720F0D76A495B0E221
SHA-256:	DBEAE7CB6F256998F9D8DE79D08C74D716D819EB4473B2725DBE2D53BA88000A
SHA-512:	33419B9E18E0099DF37D22E33DEBF15D57F4248346B17423F2B55C8DA7CBE62C19AA0BB5740CFAAC9BC6625B81C54367C0C476EAECE71727439686567F0B1234
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Z...........%.....................................................K...................I...........Rich...................PE..d......g.........." ...).d................................................... ............`.........................................`...P.......d......................../.............T...............................@...............(............................text...)b.......d.................. ..`.rdata...O.......P...h..............@..@.data...`...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\_bz2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84240
Entropy (8bit):	6.607563436050078
Encrypted:	false
SSDEEP:	1536:Kdrz7l1EVLsSuvX3dUK4MLgqK7YEog8y5sV8lIJLVy7SyFB:urzcuvXvrEo7y6V8lIJLVyB
MD5:	CB8C06C8FA9E61E4AC5F22EEBF7F1D00
SHA1:	D8E0DFC8127749947B09F17C8848166BAC659F0D
SHA-256:	FC3B481684B926350057E263622A2A5335B149A0498A8D65C4F37E39DD90B640
SHA-512:	E6DA642B7200BFB78F939F7D8148581259BAA9A5EDDA282C621D14BA88083A9B9BD3D17B701E9CDE77AD1133C39BD93FC9D955BB620546BB4FCF45C68F1EC7D6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!m..!m..!m..(.o.+m..1...#m..1..."m..1...%m..1...)m..1...,m..i..."m..j...#m..!m..\|m..i...)m..i... m..i... m..i... m..Rich!m..........PE..d.....g.........." ...).....\......0........................................P......7[....`.............................................H...(........0....... .. ......../...@..........T...........................`...@...............x............................text............................... ..`.rdata...=.......>..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\_cffi_backend.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	179200
Entropy (8bit):	6.189919896183334
Encrypted:	false
SSDEEP:	3072:X3LjFuaTzDGA3GrJwUdoSPhpRv9JUizQWS7LkSTLkKWgFIPXD0:X3QaT3GA3NSPhDsizTikSTLLWgF0z0
MD5:	5CBA92E7C00D09A55F5CBADC8D16CD26
SHA1:	0300C6B62CD9DB98562FDD3DE32096AB194DA4C8
SHA-256:	0E3D149B91FC7DC3367AB94620A5E13AF6E419F423B31D4800C381468CB8AD85
SHA-512:	7AB432C8774A10F04DDD061B57D07EBA96481B5BB8C663C6ADE500D224C6061BC15D17C74DA20A7C3CEC8BBF6453404D553EBAB22D37D67F9B163D7A15CF1DED
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......i..#-p.p-p.p-p.p$..p!p.p=.q/p.p=.zp)p.p=.q)p.p=.q%p.p=.q!p.pf..q)p.p9.q.p.p-p.p.p.pe..q)p.p$..p,p.pe..q,p.pe.xp,p.pe..q,p.pRich-p.p........................PE..d..._..f.........." ...).....B......@........................................0............`..........................................h..l....i..................T............ ......0O...............................M..@............................................text............................... ..`.rdata..............................@..@.data....].......0...n..............@....pdata..T...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\_ctypes.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	131344
Entropy (8bit):	6.311142284249784
Encrypted:	false
SSDEEP:	3072:3RF024DWkT/DKGkXY402iXnVJf/FO50XnekZ39gPhvEQZIJyPArm:j0nHT/DKFXZorf/FO50uW3SEQt
MD5:	A55E57D7594303C89B5F7A1D1D6F2B67
SHA1:	904A9304A07716497CF3E4EAAFD82715874C94F1
SHA-256:	F63C6C7E71C342084D8F1A108786CA6975A52CEFEF8BE32CC2589E6E2FE060C8
SHA-512:	FFA61AD2A408A831B5D86B201814256C172E764C9C1DBE0BD81A2E204E9E8117C66F5DFA56BB7D74275D23154C0ED8E10D4AE8A0D0564434E9761D754F1997FC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h~..............q...............................................q.......q......!u.............................................Rich....................PE..d.....g.........." ...).............h....................................... .......Z....`.........................................P.................................../...........=..T............................;..@............0...............................text............................... ..`.rdata...y...0...z..................@..@.data....$....... ..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\_decimal.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	277776
Entropy (8bit):	6.5855511991551
Encrypted:	false
SSDEEP:	6144:x9iD78EIq4x4OA5bZZ0KDgQcI79qWM53pLW1AFR8E4wXw76TPlpV77777VMvyk:xwDGqr5b8EgQ5+w6k
MD5:	F3377F3DE29579140E2BBAEEFD334D4F
SHA1:	B3076C564DBDFD4CA1B7CC76F36448B0088E2341
SHA-256:	B715D1C18E9A9C1531F21C02003B4C6726742D1A2441A1893BC3D79D7BB50E91
SHA-512:	34D9591590BBA20613691A5287EF329E5927A58127CE399088B4D68A178E3AF67159A8FC55B4FCDCB08AE094753B20DEC2AC3F0B3011481E4ED6F37445CECDD5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j2U..\...\...\..s....\..]...\.._...\..X...\..Y...\...]...\..s]...\...].z.\..._...\...Q...\...\...\.......\...^...\.Rich..\.........................PE..d......g.........." ...).....Z...............................................P......W.....`.................................................L........0..........t+......./...@..........T...............................@............... ............................text.............................. ..`.rdata..\...........................@..@.data...8'......."..................@....pdata..t+.......,..................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\_hashlib.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64272
Entropy (8bit):	6.220967684620152
Encrypted:	false
SSDEEP:	768:eNJI0DWiflFwY9X3Th1JnptE462TxNvdbj4dIJvI75YiSyvE62Em:2LDxflFwY9XDhPfVNv+dIJvIF7Syc6c
MD5:	32D76C9ABD65A5D2671AEEDE189BC290
SHA1:	0D4440C9652B92B40BB92C20F3474F14E34F8D62
SHA-256:	838D5C8B7C3212C8429BAF612623ABBBC20A9023EEC41E34E5461B76A285B86C
SHA-512:	49DC391F4E63F4FF7D65D6FD837332745CC114A334FD61A7B6AA6F710B235339964B855422233FAC4510CCB9A6959896EFE880AB24A56261F78B2A0FD5860CD9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.A.6...6...6...N%..6.......6.......6.......6.......6.......6...N...6.......6...6..26.......6.......6....I..6.......6..Rich.6..........PE..d......g.........." ...).P...~.......=..............................................!.....`.........................................p...P................................/......X....l..T............................k..@............`...............................text....N.......P.................. ..`.rdata...M...`...N...T..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\_lzma.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	157968
Entropy (8bit):	6.854644275249963
Encrypted:	false
SSDEEP:	3072:KbbS4R/G4Z8r7NjwJTSUqCRY4By7znfB9mNowgn0lCelIJ012+j:KbR/8oWeBi5YOwflCe8o
MD5:	1BA022D42024A655CF289544AE461FB8
SHA1:	9772A31083223ECF66751FF3851D2E3303A0764C
SHA-256:	D080EABD015A3569813A220FD4EA74DFF34ED2A8519A10473EB37E22B1118A06
SHA-512:	2B888A2D7467E29968C6BB65AF40D4B5E80722FFDDA760AD74C912F3A2F315D402F3C099FDE82F00F41DE6C9FAAEDB23A643337EB8821E594C567506E3464C62
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V.,.V.,.V.,...,.V.,..-.V.,..-.V.,..-.V.,..-.V.,..-.V.,...-.V.,.V.,.V.,..-.V.,..-.V.,..u,.V.,..-.V.,Rich.V.,................PE..d......g.........." ...).`...........1.......................................p.......P....`.............................................L.......x....P.......0.......:.../...`..4....\|..T...........................P{..@............p...............................text...^^.......`.................. ..`.rdata.......p.......d..............@..@.data........ ......................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..4....`.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\_multiprocessing.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35600
Entropy (8bit):	6.416657776501014
Encrypted:	false
SSDEEP:	768:6wehui7ZmQW/3OUDxEiNIJntJ5YiSyvSJz2Ec:whuilG+UDxEiNIJntX7Sy+zO
MD5:	705AC24F30DC9487DC709307D15108ED
SHA1:	E9E6BA24AF9947D8995392145ADF62CAC86BA5D8
SHA-256:	59134B754C6ACA9449E2801E9E7ED55279C4F1ED58FE7A7A9F971C84E8A32A6C
SHA-512:	F5318EBB91F059F0721D75D576B39C7033D566E39513BAD8E7E42CCC922124A5205010415001EE386495F645238E2FF981A8B859F0890DC3DA4363EB978FDBA7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.Y)v.7zv.7zv.7z..zt.7zf,6{t.7zf,4{u.7zf,3{~.7zf,2{{.7z>-6{t.7zv.6z..7z=.6{s.7z>-:{t.7z>-7{w.7z>-.zw.7z>-5{w.7zRichv.7z........PE..d......g.........." ...). ...>......@...............................................%.....`......................................... E..`....E..x............p.......\.../...........4..T............................3..@............0...............................text............ .................. ..`.rdata..6 ...0..."...$..............@..@.data...p....`.......F..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\_overlapped.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55568
Entropy (8bit):	6.3313243577146485
Encrypted:	false
SSDEEP:	1536:+kMm7HdG/l5fW3UguCE+eRIJWtd7SyJds:+wIQUFCEbRIJWtd6
MD5:	A72527454DD6DA346DDB221FC729E3D4
SHA1:	0276387E3E0492A0822DB4EABE23DB8C25EF6E6F
SHA-256:	404353D7B867749FA2893033BD1EBF2E3F75322D4015725D697CFA5E80EC9D0F
SHA-512:	FEFB543D20520F86B63E599A56E2166599DFA117EDB2BEB5E73FC8B43790543702C280A05CCFD9597C0B483F637038283DD48EF8C88B4EA6BAC411EC0043B10A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.{X/.(X/.(X/.(QW_(\/.(H..)Z/.(H..)[/.(H..)P/.(H..)T/.(...)Z/.(X/.(//.(.W.)]/.(.W.)Y/.(...)Y/.(...)Y/.(..3(Y/.(...)Y/.(RichX/.(........................PE..d.....g.........." ...).L...`......@................................................}....`.............................................X................................/......(....f..T............................e..@............`...............................text....J.......L.................. ..`.rdata...8...`...:...P..............@..@.data...@...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\_queue.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	33552
Entropy (8bit):	6.446391764486538
Encrypted:	false
SSDEEP:	384:7GpPCRjqMu/AoS6rf7sif0NHQibZIJ9UoOHQIYiSy1pCQ5xX1rSJIVE8E9VF0Nyf:fkTM6rg9aeZIJ9Uok5YiSyvTo2Et
MD5:	1C03CAA59B5E4A7FB9B998D8C1DA165A
SHA1:	8A318F80A705C64076E22913C2206D9247D30CD7
SHA-256:	B9CF502DADCB124F693BF69ECD7077971E37174104DBDA563022D74961A67E1E
SHA-512:	783ECDA7A155DFC96A718D5A130FB901BBECBED05537434E779135CBA88233DD990D86ECA2F55A852C9BFB975074F7C44D8A3E4558D7C2060F411CE30B6A915F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...........-.........................................................................A...........Rich...................PE..d.....g.........." ...).....:.......................................................r....`.........................................PD..L....D..d....p.......`..l....T.../..........@4..T............................3..@............0...............................text............................... ..`.rdata..2....0....... ..............@..@.data........P.......>..............@....pdata..l....`.......D..............@..@.rsrc........p.......H..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\_socket.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83728
Entropy (8bit):	6.331814573029388
Encrypted:	false
SSDEEP:	1536:XuV3gvWHQdMq3ORC/OypTXQlyJ+9+nzEYwsBI6tzOKuZIJywJ7Sy21:XuVQvcQTSypTXQlyJs+nzEYJI6QlZIJY
MD5:	FE896371430BD9551717EF12A3E7E818
SHA1:	E2A7716E9CE840E53E8FC79D50A77F40B353C954
SHA-256:	35246B04C6C7001CA448554246445A845CE116814A29B18B617EA38752E4659B
SHA-512:	67ECD9A07DF0A07EDD010F7E3732F3D829F482D67869D6BCE0C9A61C24C0FDC5FF4F4E4780B9211062A6371945121D8883BA2E9E2CF8EB07B628547312DFE4C9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ll}.ll}.ll}...}.ll}..m\|.ll}..o\|.ll}..h\|.ll}..i\|.ll}..m\|.ll}.lm}.ll}..m\|.ll}..a\|.ll}..l\|.ll}..}.ll}..n\|.ll}Rich.ll}........PE..d.....g.........." ...).x.......... -.......................................`.......s....`.........................................@...P............@.......0.........../...P..........T...........................@...@............................................text....w.......x.................. ..`.rdata.. y.......z...\|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\_sqlite3.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	128272
Entropy (8bit):	6.294497957566744
Encrypted:	false
SSDEEP:	3072:N+tZdKmXhyn/qO6ItCpz6j5yQyshiKftdIJvQJL:NGZVwnxHssj5lhiYR
MD5:	D4E5BE27410897AC5771966E33B418C7
SHA1:	5D18FF3CC196557ED40F2F46540B2BFE02901D98
SHA-256:	3E625978D7C55F4B609086A872177C4207FB483C7715E2204937299531394F4C
SHA-512:	4D40B4C6684D3549C35ED96BEDD6707CE32DFAA8071AEADFBC682CF4B7520CFF08472F441C50E0D391A196510F8F073F26AE8B2D1E9B1AF5CF487259CC6CCC09
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7.7.7.Oc..7...7.....7...7.....7.....7...7..O.7.7.6.....7...7.....7...7.Rich.7.........................PE..d......g.........." ...)............................................................[.....`..........................................{..P...P{.........................../..............T...............................@...............H............................text...t........................... ..`.rdata.............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\_ssl.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	181520
Entropy (8bit):	5.972827303352998
Encrypted:	false
SSDEEP:	3072:kO+IWyXHllRhN1qhep7fM6CpqjZI8u7pUULbaLZErWreVEzvT3iFCNc6tYwJc1OW:kpSrhN1E2M6CpUuwg5dEW7
MD5:	1C0E3E447F719FBE2601D0683EA566FC
SHA1:	5321AB73B36675B238AB3F798C278195223CD7B1
SHA-256:	63AE2FEFBFBBBC6EA39CDE0A622579D46FF55134BC8C1380289A2976B61F603E
SHA-512:	E1A430DA2A2F6E0A1AED7A76CC4CD2760B3164ABC20BE304C1DB3541119942508E53EA3023A52B8BADA17A6052A7A51A4453EFAD1A888ACB3B196881226C2E5C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FM.^.,k..,k..,k..T...,k...j..,k...h..,k...o..,k...n..,k.J.j..,k...j..,k..,j..-k.ITj..,k.J.f..,k.J.k..,k.J....,k.J.i..,k.Rich.,k.................PE..d......g.........." ...)............ /..............................................R\....`.............................................d................................/..............T...........................P...@............................................text...0........................... ..`.rdata..D%.......&..................@..@.data...`...........................@....pdata...............n..............@..@.rsrc................z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\_uuid.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25872
Entropy (8bit):	6.591600232213824
Encrypted:	false
SSDEEP:	384:bROw4TUyiIWlIJ0wsaHQIYiSy1pCQxHoQSJIVE8E9VF0NyEIkz:4w4TUyfWlIJ0wT5YiSyvBk2E3kz
MD5:	3ACF3138D5550CA6DE7E2580E076E0F7
SHA1:	3E878A18DF2362AA6F0BDBFA058DCA115E70D0B8
SHA-256:	F9D5008F0772AA0720BC056A6ECD5A2A3F24965E4B470B022D88627A436C1FFE
SHA-512:	F05E90A0FEAA2994B425884AF32149FBBE2E11CB7499FC88CA92D8A74410EDCD62B2B2C0F1ECD1A46985133F7E89575F2C114BD01F619C22CE52F3CF2A7E37C4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........p..#..#..#..\#..#..."..#..."..#..."..#..."..#..."..#..."..#..#...#..."..#..."..#..0#..#..."..#Rich..#........PE..d.....g.........." ...).....&......................................................".....`.........................................p9..L....9..x....`.......P.......6.../...p..@...`3..T........................... 2..@............0..8............................text...h........................... ..`.rdata.......0......................@..@.data...p....@.......&..............@....pdata.......P.......(..............@..@.rsrc........`.......*..............@..@.reloc..@....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\_wmi.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38160
Entropy (8bit):	6.338856805460127
Encrypted:	false
SSDEEP:	768:fEkK9VgWOZbs3550QcJpPllIJLiX5YiSyvQ602Euf0:fE93jkbQcJvlIJLiJ7Syq00
MD5:	1C30CC7DF3BD168D883E93C593890B43
SHA1:	31465425F349DAE4EDAC9D0FEABC23CE83400807
SHA-256:	6435C679A3A3FF4F16708EBC43F7CA62456C110AC1EA94F617D8052C90C143C7
SHA-512:	267A1807298797B190888F769D998357B183526DFCB25A6F1413E64C5DCCF87F51424B7E5D6F2349D7A19381909AB23B138748D8D9F5858F7DC0552F5C5846AC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H2.&a.&a.&a..a.&a..'`.&a..%`.&a.."`.&a..'`.&a..#`.&a..'`.&a.'a..&a.."`.&a../`.&a..&`.&a...a.&a..$`.&aRich.&a................PE..d.....g.........." ...).,...<.......)..............................................'.....`.........................................0V..H...xV.......................f.../......x...tG..T............................C..@............@.......T..@....................text....*.......,.................. ..`.rdata..d ...@..."...0..............@..@.data........p.......R..............@....pdata...............V..............@..@.rsrc................Z..............@..@.reloc..x............d..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\base_library.zip

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1394456
Entropy (8bit):	5.531698507573688
Encrypted:	false
SSDEEP:	12288:IW7WpLV6yNLeGQbVz3YQfiBgDPtLwjFx278e6ZQnHS91lqyL+DXUgnxOr+dx5/GO:B7WpLtHa9BHSHAW+dx5/GP05vddD
MD5:	A9CBD0455B46C7D14194D1F18CA8719E
SHA1:	E1B0C30BCCD9583949C247854F617AC8A14CBAC7
SHA-256:	DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
SHA-512:	B92468E71490A8800E51410DF7068DD8099E78C79A95666ECF274A9E9206359F049490B8F60B96081FAFD872EC717E67020364BCFA972F26F0D77A959637E528
Malicious:	false
Preview:	PK..........!..b.e............_collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

C:\Users\user\AppData\Local\Temp\_MEI64882\certifi\cacert.pem

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI64882\cryptography-43.0.3.dist-info\INSTALLER

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI64882\cryptography-43.0.3.dist-info\METADATA

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	5440
Entropy (8bit):	5.074230645519915
Encrypted:	false
SSDEEP:	96:DloQIUQIhQIKQILbQIRIaMPktjaVxsxA2TLLDmplH7dwnqTIvrUmA0JQTQCQx5KN:RcPuP1srTLLDmplH7JTIvYX0JQTQ9x54
MD5:	C891CD93024AF027647E6DE89D0FFCE2
SHA1:	01D8D6F93F1B922A91C82D4711BCEFB885AD47B0
SHA-256:	EB36E0E4251E8479EF36964440755EF22BEDD411BA87A93F726FA8E5BB0E64B0
SHA-512:	3386FBB3DCF7383B2D427093624C531C50BE34E3E0AA0984547B953E04776D0D431D5267827F4194A9B0AD1AB897869115623E802A6A1C5D2AE1AD82C96CCE71
Malicious:	false
Preview:	Metadata-Version: 2.3.Name: cryptography.Version: 43.0.3.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: License :: OSI Approved :: BSD License.Classifier: Natural Language :: English.Classifier: Operating System :: MacOS :: MacOS X.Classifier: Operating System :: POSIX.Classifier: Operating System :: POSIX :: BSD.Classifier: Operating System :: POSIX :: Linux.Classifier: Operating System :: Microsoft :: Windows.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Classif

C:\Users\user\AppData\Local\Temp\_MEI64882\cryptography-43.0.3.dist-info\RECORD

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	15579
Entropy (8bit):	5.5670696451446435
Encrypted:	false
SSDEEP:	192:1XeTB7oz5jF4EHRThXsI4WPm6LciTwqU+NX6in5hqw/t+B:1Xk7ohCE3sIPm6LciTwqU+96inhgB
MD5:	6BA7EACDC603A21F205A9F4CF0FBF12E
SHA1:	55CEB7C05E30C49B582E7B2C4CE03E2FE9351CC1
SHA-256:	4AE8807DEAA2C41CB02FFB19601220AF425EA392D97375B85F18D1449F67F44F
SHA-512:	E621D6059D456940A953E7FA12D90988F9E14D3CD41018EEFB1788514B580A589860306A3818AB8B2CDEF3FE3A341E8324B4F2F31EB64D249BBF46E8E9894C3D
Malicious:	false
Preview:	cryptography-43.0.3.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-43.0.3.dist-info/METADATA,sha256=6zbg5CUehHnvNpZEQHVe8ivt1BG6h6k_cm-o5bsOZLA,5440..cryptography-43.0.3.dist-info/RECORD,,..cryptography-43.0.3.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-43.0.3.dist-info/WHEEL,sha256=8_4EnrLvbhzH224YH8WypoB7HFn-vpbwr_zHlr3XUBI,94..cryptography-43.0.3.dist-info/license_files/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-43.0.3.dist-info/license_files/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-43.0.3.dist-info/license_files/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography/__about__.py,sha256=-FkHKD9mSuEfH37wsSKnQzJZmL5zUAUTpB5OeUQjPE0,445..cryptography/__init__.py,sha256=mthuUrTd4FROCpUYrTIqhjz6s6T9djAZrV7nZ1oMm2o,364..cryptography/__pycache__/__about__.cpython-313.pyc,,..cryptography/__pycache__/__ini

C:\Users\user\AppData\Local\Temp\_MEI64882\cryptography-43.0.3.dist-info\WHEEL

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	5.016084900984752
Encrypted:	false
SSDEEP:	3:RtEeX5pGogP+tkKciH/KQb:RtvoTWKTQb
MD5:	C869D30012A100ADEB75860F3810C8C9
SHA1:	42FD5CFA75566E8A9525E087A2018E8666ED22CB
SHA-256:	F3FE049EB2EF6E1CC7DB6E181FC5B2A6807B1C59FEBE96F0AFFCC796BDD75012
SHA-512:	B29FEAF6587601BBE0EDAD3DF9A87BFC82BB2C13E91103699BABD7E039F05558C0AC1EF7D904BCFAF85D791B96BC26FA9E39988DD83A1CE8ECCA85029C5109F0
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: maturin (1.7.0).Root-Is-Purelib: false.Tag: cp39-abi3-win_amd64.

C:\Users\user\AppData\Local\Temp\_MEI64882\cryptography-43.0.3.dist-info\license_files\LICENSE

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	197
Entropy (8bit):	4.61968998873571
Encrypted:	false
SSDEEP:	3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
MD5:	8C3617DB4FB6FAE01F1D253AB91511E4
SHA1:	E442040C26CD76D1B946822CAF29011A51F75D6D
SHA-256:	3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
SHA-512:	77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
Malicious:	false
Preview:	This software is made available under the terms of either of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of both these licenses..

C:\Users\user\AppData\Local\Temp\_MEI64882\cryptography-43.0.3.dist-info\license_files\LICENSE.APACHE

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11360
Entropy (8bit):	4.426756947907149
Encrypted:	false
SSDEEP:	192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
MD5:	4E168CCE331E5C827D4C2B68A6200E1B
SHA1:	DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
SHA-256:	AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
SHA-512:	F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

C:\Users\user\AppData\Local\Temp\_MEI64882\cryptography-43.0.3.dist-info\license_files\LICENSE.BSD

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1532
Entropy (8bit):	5.058591167088024
Encrypted:	false
SSDEEP:	24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
MD5:	5AE30BA4123BC4F2FA49AA0B0DCE887B
SHA1:	EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
SHA-256:	602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
SHA-512:	DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
Malicious:	false
Preview:	Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

C:\Users\user\AppData\Local\Temp\_MEI64882\cryptography\hazmat\bindings\_rust.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7834624
Entropy (8bit):	6.517862303223651
Encrypted:	false
SSDEEP:	49152:oFNZj7fIo9W67PapgzJTkrXyzNzpXAbuiqCgIns3mYEXEqMrIU6i7GtlqdVwASO/:QI9X/gIFYEXME+oFNr5VQCJheq4BsxH
MD5:	BFD28B03A4C32A9BCB001451FD002F67
SHA1:	DD528FD5F4775E16B2E743D3188B66F1174807B2
SHA-256:	8EF0F404A8BFF12FD6621D8F4F209499613F565777FE1C2A680E8A18F312D5A7
SHA-512:	6DC39638435F147B399826E34F78571D7ED2ED1232275E213A2B020224C0645E379F74A0CA5DE86930D3348981C8BB03BBBECFA601F8BA781417E7114662DDEE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.b.6...6...6...?..$...&9..4...&9..2...&9..>...&9..'...}...8...Y<..5...6...2...~8..I...6.......~8..7...~8..7...Rich6...........PE..d......g.........." ...)..Y..$........W.......................................w...........`..........................................q.....l.q.............. s...............w......zi.T....................{i.(...Pyi.@.............Y..............................text...k.Y.......Y................. ..`.rdata...A....Y..B....Y.............@..@.data...@+....q.......q.............@....pdata....... s.......r.............@..@.reloc........w.......v.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\libcrypto-3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5232408
Entropy (8bit):	5.940072183736028
Encrypted:	false
SSDEEP:	98304:/V+Qs2NuR5YV0L8PQ1CPwDvt3uFlDC4SC9c:9rs2NuDYV0L841CPwDvt3uFlDC4SCa
MD5:	123AD0908C76CCBA4789C084F7A6B8D0
SHA1:	86DE58289C8200ED8C1FC51D5F00E38E32C1AAD5
SHA-256:	4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43
SHA-512:	80FAE0533BA9A2F5FA7806E86F0DB8B6AAB32620DDE33B70A3596938B529F3822856DE75BDDB1B06721F8556EC139D784BC0BB9C8DA0D391DF2C20A80D33CB04
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(..7..<......v........................................0P.......O...`...........................................H.0.....O.@....@O.\|.... L. .....O../...PO.$...`{D.8............................yD.@.............O..............................text.....7.......7................. ..`.rdata........7.......7.............@..@.data...Ao....K..<....K.............@....pdata....... L.......K.............@..@.idata...%....O..&....N.............@..@.00cfg..u....0O.......N.............@..@.rsrc...\|....@O.......N.............@..@.reloc..~....PO.......N.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\libffi-8.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\libssl-3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	792856
Entropy (8bit):	5.57949182561317
Encrypted:	false
SSDEEP:	12288:7LN1sdyIzHHZp5c3nlUa6lxzAG11rbmFe9Xbv:7LgfzH5I3nlUa2AU2Fe9Xbv
MD5:	4FF168AAA6A1D68E7957175C8513F3A2
SHA1:	782F886709FEBC8C7CEBCEC4D92C66C4D5DBCF57
SHA-256:	2E4D35B681A172D3298CAF7DC670451BE7A8BA27C26446EFC67470742497A950
SHA-512:	C372B759B8C7817F2CBB78ECCC5A42FA80BDD8D549965BD925A97C3EEBDCE0335FBFEC3995430064DEAD0F4DB68EBB0134EB686A0BE195630C49F84B468113E3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..\|m..\|m..\|m.u.m..\|m+.}l..\|m.u}l..\|m+..l..\|m+.xl..\|m+.yl..\|m..}l..\|m..}m..\|m..xl..\|m..\|l..\|m...m..\|m..~l..\|mRich..\|m................PE..d......f.........." ...(.>..........K........................................0......!+....`..........................................x...Q..............s.... ...M......./......d...p...8...............................@............................................text....<.......>.................. ..`.rdata..hz...P...\|...B..............@..@.data...qN.......H..................@....pdata..pV... ...X..................@..@.idata...c.......d...^..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..C...........................@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\pyexpat.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	201488
Entropy (8bit):	6.375994899027017
Encrypted:	false
SSDEEP:	6144:cAPHiRwroqoLHMpCSNVysh9CV2i6P/1vTg:6wrExSU6PdvTg
MD5:	CF2C3D127F11CB2C026E151956745564
SHA1:	B1C8C432FC737D6F455D8F642A4F79AD95A97BD3
SHA-256:	D3E81017B4A82AE1B85E8CD6B9B7EB04D8817E29E5BC9ECE549AC24C8BB2FF23
SHA-512:	FE3A9C8122FFFF4AF7A51DF39D40DF18E9DB3BC4AED6B161A4BE40A586AC93C1901ACDF64CC5BFFF6975D22073558FC7A37399D016296432057B8150848F636E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P.P.P.(t..P...P...P...P...P....P..(.P.P..P....P....P......P....P.Rich.P.........................PE..d.....g.........." ...)..................................................... ............`............................................P... ............................/..........`4..T........................... 3..@............ ...............................text............................... ..`.rdata....... ......................@..@.data.... ..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\python3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70416
Entropy (8bit):	6.1258200129869405
Encrypted:	false
SSDEEP:	768:pQEotsskOv6pWVCB4p/uKlZPRQcFIc9qunV0Jku/YFI1Hu1wEBbCpVNyD6VdPxiD:/otssyKcunV8PjZIJy0i7SyWH1
MD5:	16855EBEF31C5B1EBE767F1C617645B3
SHA1:	315521F3A748ABFA35CD4D48E8DD09D0556D989B
SHA-256:	A5C6A329698490A035133433928D04368CE6285BB91A9D074FC285DE4C9A32A4
SHA-512:	C3957B3BD36B10C7AD6EA1FF3BC7BD65CDCEB3E6B4195A25D0649AA0DA179276CE170DA903D77B50A38FC3D5147A45BE32DBCFDBFBF76CC46301199C529ADEA4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%?..a^e.a^e.a^e.).m.`^e.).e.`^e.)..`^e.).g.`^e.Richa^e.........PE..d......g.........." ...)............................................................z.....`.........................................`..................................../..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\python313.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6083856
Entropy (8bit):	6.126922729922386
Encrypted:	false
SSDEEP:	49152:fXGc3O7T4DKX+vLFMmKYxiAYNBD987KdJlI9HbeX2jrgQcw6Zc4h67mM+XDQ3bLi:Of42zJiwJl/YF7v3vaHDMiEN3Kr
MD5:	B9DE917B925DD246B709BB4233777EFD
SHA1:	775F258D8B530C6EA9F0DD3D1D0B61C1948C25D2
SHA-256:	0C0A66505093B6A4BB3475F716BD3D9552095776F6A124709C13B3F9552C7D99
SHA-512:	F4BF3398F50FDD3AB7E3F02C1F940B4C8B5650ED7AF16C626CCD1B934053BA73A35F96DA03B349C1EB614BB23E0BC6B5CC58B07B7553A5C93C6D23124F324A33
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s]{v ]{v ]{v M.w!_{v M.. S{v M.u!Y{v M.r!U{v M.s!P{v T.. G{v ..w!V{v ]{w .zv ..{!.{v ..v!\{v ... \{v ..t!\{v Rich]{v ........................PE..d......g.........." ...).:+..T9......J........................................d.....uF]...`...........................................O.....h.P.......d......0].......\../....d..... A3.T.....................I.(....?3.@............P+..............................text....8+......:+................. ..`.rdata....%..P+...%..>+.............@..@.data...$9....P..N....P.............@....pdata.......0]...... U.............@..@PyRuntim.N...._..P....W.............@....rsrc.........d.......[.............@..@.reloc........d.......[.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\select.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30992
Entropy (8bit):	6.554484610649281
Encrypted:	false
SSDEEP:	384:7hhxm9tKLhuoNHfzzlvFy0ZZIJ9GckHQIYiSy1pCQ4HWSJIVE8E9VF0Ny6sC:tCytHf98uZIJ9Gx5YiSyvy2ES
MD5:	20831703486869B470006941B4D996F2
SHA1:	28851DFD43706542CD3EF1B88B5E2749562DFEE0
SHA-256:	78E5994C29D8851F28B5B12D59D742D876683AEA58ECEEA1FB895B2036CDCDEB
SHA-512:	4AAF5D66D2B73F939B9A91E7EDDFEB2CE2476C625586EF227B312230414C064AA850B02A4028363AA4664408C9510594754530A6D026A0A84BE0168D677C1BC4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tV..'V..'V..'_.j'T..'F:.&T..'F:.&R..'F:.&^..'F:.&Z..'.;.&T..'V..'...'...&S..'.;.&W..'.;.&W..'.;.'W..'.;.&W..'RichV..'................PE..d.....g.........." ...).....2............................................................`..........................................@..L...<A..x....p.......`.......J.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...p....P.......8..............@....pdata.......`.......:..............@..@.rsrc........p.......>..............@..@.reloc..L............H..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\LICENSE

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11358
Entropy (8bit):	4.4267168336581415
Encrypted:	false
SSDEEP:	192:nU6G5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEn7HbHR:U9vlKM1zJlFvmNz5VrlkTS07Ht
MD5:	3B83EF96387F14655FC854DDC3C6BD57
SHA1:	2B8B815229AA8A61E483FB4BA0588B8B6C491890
SHA-256:	CFC7749B96F63BD31C3C42B5C471BF756814053E847C10F3EB003417BC523D30
SHA-512:	98F6B79B778F7B0A15415BD750C3A8A097D650511CB4EC8115188E115C47053FE700F578895C097051C9BC3DFB6197C2B13A15DE203273E1A3218884F86E90E8
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. http://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial own

C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\METADATA

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4648
Entropy (8bit):	5.006900644756252
Encrypted:	false
SSDEEP:	96:Dx2ZSaCSmS8R902Vpnu386eLQ9Ac+fFZpDN00x2jZ2SBXZJSwTE:9Smzf02Vpnu386mQ9B+TP0vJHJSwTE
MD5:	98ABEAACC0E0E4FC385DFF67B607071A
SHA1:	E8C830D8B0942300C7C87B3B8FD15EA1396E07BD
SHA-256:	6A7B90EFFEE1E09D5B484CDF7232016A43E2D9CC9543BCBB8E494B1EC05E1F59
SHA-512:	F1D59046FFA5B0083A5259CEB03219CCDB8CC6AAC6247250CBD83E70F080784391FCC303F7630E1AD40E5CCF5041A57CB9B68ADEFEC1EBC6C31FCF7FFC65E9B7
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: importlib_metadata.Version: 8.0.0.Summary: Read metadata from Python packages.Author-email: "Jason R. Coombs" <jaraco@jaraco.com>.Project-URL: Source, https://github.com/python/importlib_metadata.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.License-File: LICENSE.Requires-Dist: zipp >=0.5.Requires-Dist: typing-extensions >=3.6.4 ; python_version < "3.8".Provides-Extra: doc.Requires-Dist: sphinx >=3.5 ; extra == 'doc'.Requires-Dist: jaraco.packaging >=9.3 ; extra == 'doc'.Requires-Dist: rst.linker >=1.9 ; extra == 'doc'.Requires-Dist: furo ; extra == 'doc'.Requires-Dist: sphinx-lint ; extra == 'doc'.Requires-Dist: jaraco.tidelift >=1.4 ; extra == 'doc'.Provides-Extra: perf.Requires-D

C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\RECORD

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2518
Entropy (8bit):	5.6307766747793275
Encrypted:	false
SSDEEP:	48:UnuXTg06U5J/Vw9l/gfNX7/XzBk9pvJq/fwJOfYrBfnJ/V0XJnzN/3WJV:bXzP/EgdzzBkDJsoIYrBfJ/CXNz9qV
MD5:	EB513CAFA5226DDA7D54AFDCC9AD8A74
SHA1:	B394C7AEC158350BAF676AE3197BEF4D7158B31C
SHA-256:	0D8D3C6EEB9EBBE86CAC7D60861552433C329DA9EA51248B61D02BE2E5E64030
SHA-512:	A0017CFAFF47FDA6067E3C31775FACEE4728C3220C2D4BD70DEF328BD20AA71A343E39DA15CD6B406F62311894C518DFCF5C8A4AE6F853946F26A4B4E767924E
Malicious:	false
Preview:	importlib_metadata-8.0.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..importlib_metadata-8.0.0.dist-info/LICENSE,sha256=z8d0m5b2O9McPEK1xHG_dWgUBT6EfBDz6wA0F7xSPTA,11358..importlib_metadata-8.0.0.dist-info/METADATA,sha256=anuQ7_7h4J1bSEzfcjIBakPi2cyVQ7y7jklLHsBeH1k,4648..importlib_metadata-8.0.0.dist-info/RECORD,,..importlib_metadata-8.0.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..importlib_metadata-8.0.0.dist-info/WHEEL,sha256=mguMlWGMX-VHnMpKOjjQidIo1ssRlCFu4a4mBpz1s2M,91..importlib_metadata-8.0.0.dist-info/top_level.txt,sha256=CO3fD9yylANiXkrMo4qHLV_mqXL2sC5JFKgt1yWAT-A,19..importlib_metadata/__init__.py,sha256=tZNB-23h8Bixi9uCrQqj9Yf0aeC--Josdy3IZRIQeB0,33798..importlib_metadata/__pycache__/__init__.cpython-312.pyc,,..importlib_metadata/__pycache__/_adapters.cpython-312.pyc,,..importlib_metadata/__pycache__/_collections.cpython-312.pyc,,..importlib_metadata/__pycache__/_compat.cpython-312.pyc,,..importlib_metadata/__pycac

C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	91
Entropy (8bit):	4.687870576189661
Encrypted:	false
SSDEEP:	3:RtEeXMRYFAVLMvhRRP+tPCCfA5S:RtC1VLMvhjWBBf
MD5:	7D09837492494019EA51F4E97823D79F
SHA1:	7829B4324BB542799494131A270EC3BDAD4DEDEF
SHA-256:	9A0B8C95618C5FE5479CCA4A3A38D089D228D6CB1194216EE1AE26069CF5B363
SHA-512:	A0063220ECDD22C3E735ACFF6DE559ACF3AC4C37B81D37633975A22A28B026F1935CD1957C0FF7D2ECC8B7F83F250310795EECC5273B893FFAB115098F7B9C38
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: setuptools (70.1.1).Root-Is-Purelib: true.Tag: py3-none-any..

C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\top_level.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	19
Entropy (8bit):	3.536886723742169
Encrypted:	false
SSDEEP:	3:JSej0EBERG:50o4G
MD5:	A24465F7850BA59507BF86D89165525C
SHA1:	4E61F9264DE74783B5924249BCFE1B06F178B9AD
SHA-256:	08EDDF0FDCB29403625E4ACCA38A872D5FE6A972F6B02E4914A82DD725804FE0
SHA-512:	ECF1F6B777970F5257BDDD353305447083008CEBD8E5A27C3D1DA9C7BDC3F9BF3ABD6881265906D6D5E11992653185C04A522F4DB5655FF75EEDB766F93D5D48
Malicious:	false
Preview:	importlib_metadata.

C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	ASCII text, with very long lines (888)
Category:	dropped
Size (bytes):	1335
Entropy (8bit):	4.226823573023539
Encrypted:	false
SSDEEP:	24:FP6Hbz+g9RPZ14bJi04L6GEbX4UQF4UkZQhxI2EIhNyu:9E+i6bJmLm43+Uxxnh0u
MD5:	4CE7501F6608F6CE4011D627979E1AE4
SHA1:	78363672264D9CD3F72D5C1D3665E1657B1A5071
SHA-256:	37FEDCFFBF73C4EB9F058F47677CB33203A436FF9390E4D38A8E01C9DAD28E0B
SHA-512:	A4CDF92725E1D740758DA4DD28DF5D1131F70CEF46946B173FE6956CC0341F019D7C4FECC3C9605F354E1308858721DADA825B4C19F59C5AD1CE01AB84C46B24
Malicious:	false
Preview:	Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum..Curabitur pretium tincidunt lacus. Nulla gravida orci a odio. Nullam varius, turpis et commodo pharetra, est eros bibendum elit, nec luctus magna felis sollicitudin mauris. Integer in mauris eu nibh euismod gravida. Duis ac tellus et risus vulputate vehicula. Donec lobortis risus a elit. Etiam tempor. Ut ullamcorper, ligula eu tempor congue, eros est euismod turpis, id tincidunt sapien risus a quam. Maecenas fermentum consequat mi. Donec fermentum. Pellentesque malesuada nulla a mi. Duis sapien sem, aliquet nec, commodo eget, consequat quis, neque.

C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\wheel-0.43.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1107
Entropy (8bit):	5.115074330424529
Encrypted:	false
SSDEEP:	24:PWmrRONJHLH0cPP3gtkHw1h39QHOsUv4eOk4/+jvho3nPz:ttONJbbvE/NQHOs5eNS3n7
MD5:	7FFB0DB04527CFE380E4F2726BD05EBF
SHA1:	5B39C45A91A556E5F1599604F1799E4027FA0E60
SHA-256:	30C23618679108F3E8EA1D2A658C7CA417BDFC891C98EF1A89FA4FF0C9828654
SHA-512:	205F284F3A7E8E696C70ED7B856EE98C1671C68893F0952EEC40915A383BC452B99899BDC401F9FE161A1BF9B6E2CEA3BCD90615EEE9173301657A2CE4BAFE14
Malicious:	false
Preview:	MIT License..Copyright (c) 2012 Daniel Holth <dholth@fastmail.fm> and contributors..Permission is hereby granted, free of charge, to any person obtaining a.copy of this software and associated documentation files (the "Software"),.to deal in the Software without restriction, including without limitation.the rights to use, copy, modify, merge, publish, distribute, sublicense,.and/or sell copies of the Software, and to permit persons to whom the.Software is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included.in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL.THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR.OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERW

C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\wheel-0.43.0.dist-info\METADATA

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	2153
Entropy (8bit):	5.088249746074878
Encrypted:	false
SSDEEP:	48:DEhpFu5MktjaywDK48d+md+7uT8RfkD1UKd+mOl1Awry:DEhpiMktjayq/7kOfsUzmbYy
MD5:	EBEA27DA14E3F453119DC72D84343E8C
SHA1:	7CEB6DBE498B69ABF4087637C6F500742FF7E2B4
SHA-256:	59BAC22B00A59D3E5608A56B8CF8EFC43831A36B72792EE4389C9CD4669C7841
SHA-512:	A41593939B9325D40CB67FD3F41CD1C9E9978F162487FB469094C41440B5F48016B9A66BE2E6E4A0406D6EEDB25CE4F5A860BA1E3DC924B81F63CEEE3AE31117
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: wheel.Version: 0.43.0.Summary: A built-package format for Python.Keywords: wheel,packaging.Author-email: Daniel Holth <dholth@fastmail.fm>.Maintainer-email: Alex Gr.nholm <alex.gronholm@nextday.fi>.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Requires-Dist: pytest >= 6.0.0 ; extra == "test".Requires-Dist: setuptools >= 65 ; extra == "test".Project-URL: Changelog, https://wheel.readthedocs.io/en/s

C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\wheel-0.43.0.dist-info\RECORD

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	4557
Entropy (8bit):	5.714200636114494
Encrypted:	false
SSDEEP:	96:QXVuEmegx01TQIvFCiq9H/H7vp88FxTXiJPkGJP4CWweXQHmnDpMI78IegK5EeZR:QXVxAbYkU4CWweXQHmnDpMeV2BvTRqQF
MD5:	44D352C4997560C7BFB82D9360F5985A
SHA1:	BE58C7B8AB32790384E4E4F20865C4A88414B67A
SHA-256:	783E654742611AF88CD9F00BF01A431A219DB536556E63FF981C7BD673070AC9
SHA-512:	281B1D939A560E6A08D0606E5E8CE15F086B4B45738AB41ED6B5821968DC8D764CD6B25DB6BA562A07018C271ABF17A6BC5A380FAD05696ADF1D11EE2C5749C8
Malicious:	false
Preview:	../../bin/wheel,sha256=cT2EHbrv-J-UyUXu26cDY-0I7RgcruysJeHFanT1Xfo,249..wheel-0.43.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..wheel-0.43.0.dist-info/LICENSE.txt,sha256=MMI2GGeRCPPo6h0qZYx8pBe9_IkcmO8aifpP8MmChlQ,1107..wheel-0.43.0.dist-info/METADATA,sha256=WbrCKwClnT5WCKVrjPjvxDgxo2tyeS7kOJyc1GaceEE,2153..wheel-0.43.0.dist-info/RECORD,,..wheel-0.43.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..wheel-0.43.0.dist-info/WHEEL,sha256=EZbGkh7Ie4PoZfRQ8I0ZuP9VklN_TvcZ6DSE5Uar4z4,81..wheel-0.43.0.dist-info/entry_points.txt,sha256=rTY1BbkPHhkGMm4Q3F0pIzJBzW2kMxoG1oriffvGdA0,104..wheel/__init__.py,sha256=D6jhH00eMzbgrXGAeOwVfD5i-lCAMMycuG1L0useDlo,59..wheel/__main__.py,sha256=NkMUnuTCGcOkgY0IBLgBCVC_BGGcWORx2K8jYGS12UE,455..wheel/__pycache__/__init__.cpython-312.pyc,,..wheel/__pycache__/__main__.cpython-312.pyc,,..wheel/__pycache__/_setuptools_logging.cpython-312.pyc,,..wheel/__pycache__/bdist_wheel.cpython-312.pyc,,..wheel/__pycache

C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\wheel-0.43.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.672346887071811
Encrypted:	false
SSDEEP:	3:RtEeX/QFM+vxP+tPCCfA5I:Rt1Qq2WBB3
MD5:	24019423EA7C0C2DF41C8272A3791E7B
SHA1:	AAE9ECFB44813B68CA525BA7FA0D988615399C86
SHA-256:	1196C6921EC87B83E865F450F08D19B8FF5592537F4EF719E83484E546ABE33E
SHA-512:	09AB8E4DAA9193CFDEE6CF98CCAE9DB0601F3DCD4944D07BF3AE6FA5BCB9DC0DCAFD369DE9A650A38D1B46C758DB0721EBA884446A8A5AD82BB745FD5DB5F9B1
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: flit 3.9.0.Root-Is-Purelib: true.Tag: py3-none-any.

C:\Users\user\AppData\Local\Temp\_MEI64882\setuptools\_vendor\wheel-0.43.0.dist-info\entry_points.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.271713330022269
Encrypted:	false
SSDEEP:	3:1SSAnAYgh+MWTMhk6WjrAM5t5ln:1Jb9WTMhk9jUM5t5ln
MD5:	6180E17C30BAE5B30DB371793FCE0085
SHA1:	E3A12C421562A77D90A13D8539A3A0F4D3228359
SHA-256:	AD363505B90F1E1906326E10DC5D29233241CD6DA4331A06D68AE27DFBC6740D
SHA-512:	69EAE7B1E181D7BA1D3E2864D31E1320625A375E76D3B2FBF8856B3B6515936ACE3138D4D442CABDE7576FCFBCBB0DEED054D90B95CFA1C99829DB12A9031E26
Malicious:	false
Preview:	[console_scripts].wheel=wheel.cli:main..[distutils.commands].bdist_wheel=wheel.bdist_wheel:bdist_wheel..

C:\Users\user\AppData\Local\Temp\_MEI64882\sqlite3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1540368
Entropy (8bit):	6.577233901213655
Encrypted:	false
SSDEEP:	24576:cmKZpHTv4iPI9FDgJNRs++l8GwLXSz4ih5Z5jWbsxuIl40OwumzuLxIhiE:0rJoDgJNRs+U8GwLXSMIZ5jWb0uIl48R
MD5:	7E632F3263D5049B14F5EDC9E7B8D356
SHA1:	92C5B5F96F1CBA82D73A8F013CBAF125CD0898B8
SHA-256:	66771FBD64E2D3B8514DD0CD319A04CA86CE2926A70F7482DDEC64049E21BE38
SHA-512:	CA1CC67D3EB63BCA3CE59EF34BECCE48042D7F93B807FFCD4155E4C4997DC8B39919AE52AB4E5897AE4DBCB47592C4086FAC690092CAA7AA8D3061FBA7FE04A2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gsX.#.6.#.6.#.6.*j../.6.3.7.!.6.3.5.'.6.3.2.+.6.3.3...6.hj7. .6.#.7...6.k.>.".6.k.6.".6.k..".6.k.4.".6.Rich#.6.........................PE..d.....g.........." ...).0...(.......................................................P....`..............................................#...........`...............R.../...p..X...0...T..............................@............@..X............................text...9........0.................. ..`.rdata..,....@.......4..............@..@.data...`M...0...D..................@....pdata...............\..............@..@.rsrc........`.......8..............@..@.reloc..X....p.......B..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64882\unicodedata.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	709904
Entropy (8bit):	5.861739047785334
Encrypted:	false
SSDEEP:	12288:FYGdLI/X77mvfldCKGihH32W3cnPSqrUgLIe:FYGW7qNxr3cnPXLIe
MD5:	0902D299A2A487A7B0C2D75862B13640
SHA1:	04BCBD5A11861A03A0D323A8050A677C3A88BE13
SHA-256:	2693C7EE4FBA55DC548F641C0CB94485D0E18596FFEF16541BD43A5104C28B20
SHA-512:	8CBEF5A9F2D24DA1014F8F1CCBDDD997A084A0B04DD56BCB6AC38DDB636D05EF7E4EA7F67A085363AAD3F43D45413914E55BDEF14A662E80BE955E6DFC2FECA3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.............(.....(.....(.....(.....)................).....).....)x....)....Rich..................PE..d.....g.........." ...).B...f......P,..............................................<.....`.........................................P...X................................/..........p...T...........................0...@............`..h............................text....@.......B.................. ..`.rdata...?...`...@...F..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\crcook.txt

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	304
Entropy (8bit):	5.843430678408942
Encrypted:	false
SSDEEP:	6:FO1g2D1Qv3rocHDyzxbuQ03rocHDKJKG1NOpFw+5uQ+Cy8HfyUhEqXfL6vRpAy:CgC1Qv79EEQ079O1NOpFwUuQLHaU9Wvd
MD5:	A0D8BD617C77BE977EC94D233E27D177
SHA1:	0DCFBADC645566D07CB2160387FD9F338D7D0BBD
SHA-256:	7CEB2DD28A3B8E9BB8305B00013111BA719EBB63AA9AEEBBFC76F7A0421777CA
SHA-512:	E128DE195506C0461B2B365A75793E2412412B153BE07A54F69F2CE9244F5F358B365C37F7BD0ED2FAD0C5CC3D7FFFD5697641AFD2C87A0432E86733F05AEAA1
Malicious:	false
Preview:	<--Creal STEALER BEST -->.....google.com.TRUE./.FALSE.2597573456.1P_JAR.2023-10-04-13...google.com.TRUE./.FALSE.2597573456.NID.511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4..

C:\Users\user\AppData\Local\Temp\crpassw.txt

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.9783335811852645
Encrypted:	false
SSDEEP:	3:vgt2TO1ng2DIIbr:FO1g2D1v
MD5:	155EA3C94A04CEAB8BD7480F9205257D
SHA1:	B46BBBB64B3DF5322DD81613E7FA14426816B1C1
SHA-256:	445E2BCECAA0D8D427B87E17E7E53581D172AF1B9674CF1A33DBE1014732108B
SHA-512:	3D47449DA7C91FE279217A946D2F86E5D95D396F53B55607EC8ACA7E9AA545CFAF9CB97914B643A5D8A91944570F9237E18EECEC0F1526735BE6CEEE45ECBA05
Malicious:	false
Preview:	<--Creal STEALER BEST -->....

C:\Users\user\AppData\Local\Tempcrmdtectzk.db

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrmgqkdhig.db

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrndjmiqyk.db

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrpuiufkke.db

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrqovwymzz.db

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrqxbrvnld.db

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrtscvwrzj.db

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Tempcrwowmlmuu.db

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe

Download File

Process:	C:\Users\user\Desktop\Creal.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16912015
Entropy (8bit):	7.996822378035481
Encrypted:	true
SSDEEP:	393216:29YiZM63hucsXMCHWUj/cuIbvR/PrK8Xms96YqZVo:29YiZt3hrsXMb8Ut/TKXlVo
MD5:	017603B860F67F7F65F724E519465926
SHA1:	51B1924EC73969FC16E00C0E80597C07711CF866
SHA-256:	1BA7BEDAAA3A81350A78CF579E625E879D6D68CEF0F7AC8C55CC419798F380E1
SHA-512:	A695347BEF5BDFDCD4ADEE43909B375828D89D48F78F88D443E4E19728FF82F2BFB5487EA80FBBBD9953394985BB0FDC935DA734EB32220FB386D701F9BC3945
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n=..\.Z\.Z\.Za$.[-\.Za$.[.\.Za$.[ \.Z:..Z)\.Z:..[#\.Z:..[;\.Z:..[.\.Za$.[!\.Z\.Z.\.Zb..[3\.Zb..[+\.ZRich\.Z........PE..d...f%/g.........."....).....\.................@....................................r.....`.................................................\...x....p.......@..P"...........p..d...................................@...@............................................text............................... ..`.rdata..P.......,..................@..@.data....S..........................@....pdata..P"...@...$..................@..@.rsrc........p......................@..@.reloc..d....p......................@..B........................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.996822378035481
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Creal.exe
File size:	16'912'015 bytes
MD5:	017603b860f67f7f65f724e519465926
SHA1:	51b1924ec73969fc16e00c0e80597c07711cf866
SHA256:	1ba7bedaaa3a81350a78cf579e625e879d6d68cef0f7ac8c55cc419798f380e1
SHA512:	a695347bef5bdfdcd4adee43909b375828d89d48f78f88d443e4e19728ff82f2bfb5487ea80fbbbd9953394985bb0fdc935da734eb32220fb386d701f9bc3945
SSDEEP:	393216:29YiZM63hucsXMCHWUj/cuIbvR/PrK8Xms96YqZVo:29YiZt3hrsXMb8Ut/TKXlVo
TLSH:	5D07331857E019DFD9F2A434EDD0D6DAE57AB4661BB2C74F86B893220EA71C04C3D623
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n=..\.Z\.Z\.Za$.[-\.Za$.[.\.Za$.[ \.Z:..Z)\.Z:..[#\.Z:..[;\.Z:..[.\.Za$.[!\.Z\.Z.\.Zb..[3\.Zb..[+\.ZRich*\.Z........PE..d..

File Icon


Icon Hash:	4a464cd47461e179

Static PE Info

General

Entrypoint:	0x14000cdb0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x672F2566 [Sat Nov 9 09:03:34 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FCA74C08C3Ch
dec eax
add esp, 28h
jmp 00007FCA74C0885Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007FCA74C09008h
test eax, eax
je 00007FCA74C08A03h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007FCA74C089E7h
dec eax
cmp ecx, eax
je 00007FCA74C089F6h
xor eax, eax
dec eax
cmpxchg dword ptr [0003577Ch], ecx
jne 00007FCA74C089D0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007FCA74C089D9h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007FCA74C089E9h
mov byte ptr [00035765h], 00000001h
call 00007FCA74C08135h
call 00007FCA74C09420h
test al, al
jne 00007FCA74C089E6h
xor al, al
jmp 00007FCA74C089F6h
call 00007FCA74C15F3Fh
test al, al
jne 00007FCA74C089EBh
xor ecx, ecx
call 00007FCA74C09430h
jmp 00007FCA74C089CCh
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0003572Ch], 00000000h
mov ebx, ecx
jne 00007FCA74C08A49h
cmp ecx, 01h
jnbe 00007FCA74C08A4Ch
call 00007FCA74C08F7Eh
test eax, eax
je 00007FCA74C08A0Ah
test ebx, ebx
jne 00007FCA74C08A06h
dec eax
lea ecx, dword ptr [00035716h]
call 00007FCA74C15D32h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca5c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0xf41c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2250	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x57000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f00	0x2a000	2a7ae207b6295492e9da088072661752	False	0.5514439174107143	data	6.487454925709845	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a50	0x12c00	98002c842762aa79923a185df4bfaa5d	False	0.5244661458333333	data	5.752640246650302	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2250	0x2400	f5559f14427a02f0a5dbd0dd026cae54	False	0.470703125	data	5.291665041994019	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0xf41c	0xf600	455788c285fcfdcb4008bc77e762818a	False	0.803099593495935	data	7.5549760623589695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x57000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x47208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.585820895522388
RT_ICON	0x480b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7360108303249098
RT_ICON	0x48958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.755057803468208
RT_ICON	0x48ec0	0x952c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9975384937676757
RT_ICON	0x523ec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.3887966804979253
RT_ICON	0x54994	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.49530956848030017
RT_ICON	0x55a3c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.7207446808510638
RT_GROUP_ICON	0x55ea4	0x68	data	0.7019230769230769
RT_MANIFEST	0x55f0c	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-10T17:25:13.442135+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.5	49713	TCP
2024-11-10T17:25:52.233923+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.5	49900	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 10, 2024 17:24:59.040965080 CET	49706	80	192.168.2.5	34.160.111.145
Nov 10, 2024 17:24:59.045871973 CET	80	49706	34.160.111.145	192.168.2.5
Nov 10, 2024 17:24:59.045936108 CET	49706	80	192.168.2.5	34.160.111.145
Nov 10, 2024 17:24:59.048742056 CET	49706	80	192.168.2.5	34.160.111.145
Nov 10, 2024 17:24:59.055908918 CET	80	49706	34.160.111.145	192.168.2.5
Nov 10, 2024 17:24:59.650902033 CET	80	49706	34.160.111.145	192.168.2.5
Nov 10, 2024 17:24:59.657798052 CET	49706	80	192.168.2.5	34.160.111.145
Nov 10, 2024 17:24:59.663069010 CET	80	49706	34.160.111.145	192.168.2.5
Nov 10, 2024 17:24:59.663189888 CET	49706	80	192.168.2.5	34.160.111.145
Nov 10, 2024 17:25:02.802824974 CET	49708	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:02.802856922 CET	443	49708	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:02.802932978 CET	49708	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:02.803488970 CET	49708	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:02.803503990 CET	443	49708	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:02.814146042 CET	49709	443	192.168.2.5	45.112.123.126
Nov 10, 2024 17:25:02.814179897 CET	443	49709	45.112.123.126	192.168.2.5
Nov 10, 2024 17:25:02.814245939 CET	49709	443	192.168.2.5	45.112.123.126
Nov 10, 2024 17:25:02.814551115 CET	49709	443	192.168.2.5	45.112.123.126
Nov 10, 2024 17:25:02.814560890 CET	443	49709	45.112.123.126	192.168.2.5
Nov 10, 2024 17:25:03.420521975 CET	443	49708	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:03.462091923 CET	49708	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:03.521219015 CET	49708	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:03.521225929 CET	443	49708	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:03.522521019 CET	443	49708	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:03.522587061 CET	49708	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:03.540735960 CET	49708	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:03.540868998 CET	49708	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:03.549812078 CET	49710	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:03.549855947 CET	443	49710	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:03.549925089 CET	49710	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:03.583906889 CET	49710	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:03.583954096 CET	443	49710	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:03.644551039 CET	443	49709	45.112.123.126	192.168.2.5
Nov 10, 2024 17:25:03.645025015 CET	49709	443	192.168.2.5	45.112.123.126
Nov 10, 2024 17:25:03.645049095 CET	443	49709	45.112.123.126	192.168.2.5
Nov 10, 2024 17:25:03.646198034 CET	443	49709	45.112.123.126	192.168.2.5
Nov 10, 2024 17:25:03.646255016 CET	49709	443	192.168.2.5	45.112.123.126
Nov 10, 2024 17:25:03.647480965 CET	49709	443	192.168.2.5	45.112.123.126
Nov 10, 2024 17:25:03.647619963 CET	443	49709	45.112.123.126	192.168.2.5
Nov 10, 2024 17:25:03.647666931 CET	49709	443	192.168.2.5	45.112.123.126
Nov 10, 2024 17:25:03.647699118 CET	49709	443	192.168.2.5	45.112.123.126
Nov 10, 2024 17:25:03.648739100 CET	49711	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:03.648771048 CET	443	49711	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:03.648833036 CET	49711	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:03.649072886 CET	49711	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:03.649082899 CET	443	49711	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:04.252476931 CET	443	49711	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:04.252909899 CET	49711	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:04.252933025 CET	443	49711	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:04.253943920 CET	443	49711	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:04.254021883 CET	49711	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:04.254868031 CET	49711	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:04.254980087 CET	49711	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:04.255856991 CET	49712	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:04.255898952 CET	443	49712	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:04.255976915 CET	49712	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:04.256246090 CET	49712	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:04.256261110 CET	443	49712	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:04.668863058 CET	443	49710	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:04.669331074 CET	49710	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:04.669351101 CET	443	49710	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:04.670229912 CET	443	49710	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:04.670300007 CET	49710	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:04.671107054 CET	49710	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:04.671217918 CET	49710	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:05.404012918 CET	443	49712	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:05.404443979 CET	49712	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:05.404464006 CET	443	49712	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:05.405592918 CET	443	49712	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:05.405656099 CET	49712	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:05.406549931 CET	49712	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:05.406666994 CET	49712	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:19.180866957 CET	49727	80	192.168.2.5	34.160.111.145
Nov 10, 2024 17:25:19.379733086 CET	80	49727	34.160.111.145	192.168.2.5
Nov 10, 2024 17:25:19.379827023 CET	49727	80	192.168.2.5	34.160.111.145
Nov 10, 2024 17:25:19.380078077 CET	49727	80	192.168.2.5	34.160.111.145
Nov 10, 2024 17:25:19.388114929 CET	80	49727	34.160.111.145	192.168.2.5
Nov 10, 2024 17:25:20.006977081 CET	80	49727	34.160.111.145	192.168.2.5
Nov 10, 2024 17:25:20.012182951 CET	49727	80	192.168.2.5	34.160.111.145
Nov 10, 2024 17:25:20.017678976 CET	80	49727	34.160.111.145	192.168.2.5
Nov 10, 2024 17:25:20.017740965 CET	49727	80	192.168.2.5	34.160.111.145
Nov 10, 2024 17:25:22.220046997 CET	49743	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:22.220088005 CET	443	49743	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:22.220165014 CET	49743	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:22.220819950 CET	49743	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:22.220834017 CET	443	49743	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:22.240679026 CET	49744	443	192.168.2.5	45.112.123.126
Nov 10, 2024 17:25:22.240714073 CET	443	49744	45.112.123.126	192.168.2.5
Nov 10, 2024 17:25:22.240835905 CET	49744	443	192.168.2.5	45.112.123.126
Nov 10, 2024 17:25:22.241281033 CET	49744	443	192.168.2.5	45.112.123.126
Nov 10, 2024 17:25:22.241297007 CET	443	49744	45.112.123.126	192.168.2.5
Nov 10, 2024 17:25:22.837829113 CET	443	49743	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:22.838469028 CET	49743	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:22.838489056 CET	443	49743	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:22.839525938 CET	443	49743	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:22.839591980 CET	49743	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:22.840946913 CET	49743	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:22.841079950 CET	49743	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:22.842089891 CET	49750	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:22.842128038 CET	443	49750	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:22.842624903 CET	49750	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:22.842624903 CET	49750	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:22.842658043 CET	443	49750	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:23.081732988 CET	443	49744	45.112.123.126	192.168.2.5
Nov 10, 2024 17:25:23.082159042 CET	49744	443	192.168.2.5	45.112.123.126
Nov 10, 2024 17:25:23.082190037 CET	443	49744	45.112.123.126	192.168.2.5
Nov 10, 2024 17:25:23.083241940 CET	443	49744	45.112.123.126	192.168.2.5
Nov 10, 2024 17:25:23.083317995 CET	49744	443	192.168.2.5	45.112.123.126
Nov 10, 2024 17:25:23.084320068 CET	49744	443	192.168.2.5	45.112.123.126
Nov 10, 2024 17:25:23.084460974 CET	49744	443	192.168.2.5	45.112.123.126
Nov 10, 2024 17:25:23.085680962 CET	49751	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:23.085705996 CET	443	49751	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:23.086088896 CET	49751	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:23.086088896 CET	49751	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:23.086117983 CET	443	49751	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:23.691342115 CET	443	49751	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:23.692496061 CET	49751	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:23.692509890 CET	443	49751	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:23.693532944 CET	443	49751	104.26.13.205	192.168.2.5
Nov 10, 2024 17:25:23.693613052 CET	49751	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:23.694540977 CET	49751	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:23.694674015 CET	49751	443	192.168.2.5	104.26.13.205
Nov 10, 2024 17:25:23.695851088 CET	49757	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:23.695883989 CET	443	49757	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:23.695986032 CET	49757	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:23.696331024 CET	49757	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:23.696341991 CET	443	49757	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:23.941987038 CET	443	49750	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:23.942424059 CET	49750	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:23.942436934 CET	443	49750	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:23.943938971 CET	443	49750	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:23.944009066 CET	49750	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:23.944928885 CET	49750	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:23.945087910 CET	49750	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:24.798726082 CET	443	49757	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:24.799171925 CET	49757	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:24.799204111 CET	443	49757	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:24.800287962 CET	443	49757	159.89.102.253	192.168.2.5
Nov 10, 2024 17:25:24.800354004 CET	49757	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:24.801263094 CET	49757	443	192.168.2.5	159.89.102.253
Nov 10, 2024 17:25:24.801409960 CET	49757	443	192.168.2.5	159.89.102.253

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 10, 2024 17:24:59.027899027 CET	60086	53	192.168.2.5	1.1.1.1
Nov 10, 2024 17:24:59.035130024 CET	53	60086	1.1.1.1	192.168.2.5
Nov 10, 2024 17:25:02.789519072 CET	59726	53	192.168.2.5	1.1.1.1
Nov 10, 2024 17:25:02.796853065 CET	53	59726	1.1.1.1	192.168.2.5
Nov 10, 2024 17:25:02.804380894 CET	53211	53	192.168.2.5	1.1.1.1
Nov 10, 2024 17:25:02.811409950 CET	53	53211	1.1.1.1	192.168.2.5
Nov 10, 2024 17:25:03.541624069 CET	63508	53	192.168.2.5	1.1.1.1
Nov 10, 2024 17:25:03.549254894 CET	53	63508	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 10, 2024 17:24:59.027899027 CET	192.168.2.5	1.1.1.1	0xb4f2	Standard query (0)	ifconfig.me	A (IP address)	IN (0x0001)	false
Nov 10, 2024 17:25:02.789519072 CET	192.168.2.5	1.1.1.1	0x3655	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 10, 2024 17:25:02.804380894 CET	192.168.2.5	1.1.1.1	0x5e09	Standard query (0)	api.gofile.io	A (IP address)	IN (0x0001)	false
Nov 10, 2024 17:25:03.541624069 CET	192.168.2.5	1.1.1.1	0xd068	Standard query (0)	geolocation-db.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 10, 2024 17:24:59.035130024 CET	1.1.1.1	192.168.2.5	0xb4f2	No error (0)	ifconfig.me	34.160.111.145	A (IP address)	IN (0x0001)	false
Nov 10, 2024 17:25:02.796853065 CET	1.1.1.1	192.168.2.5	0x3655	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 10, 2024 17:25:02.796853065 CET	1.1.1.1	192.168.2.5	0x3655	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 10, 2024 17:25:02.796853065 CET	1.1.1.1	192.168.2.5	0x3655	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 10, 2024 17:25:02.811409950 CET	1.1.1.1	192.168.2.5	0x5e09	No error (0)	api.gofile.io	45.112.123.126	A (IP address)	IN (0x0001)	false
Nov 10, 2024 17:25:03.549254894 CET	1.1.1.1	192.168.2.5	0xd068	No error (0)	geolocation-db.com	159.89.102.253	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ifconfig.me

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	34.160.111.145	80	6504	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
Nov 10, 2024 17:24:59.048742056 CET	75	OUT	GET / HTTP/1.1 Host: ifconfig.me User-Agent: curl/7.83.1 Accept: /
Nov 10, 2024 17:24:59.650902033 CET	165	IN	HTTP/1.1 200 OK date: Sun, 10 Nov 2024 16:24:59 GMT content-type: text/plain Content-Length: 14 access-control-allow-origin: * via: 1.1 google Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 Data Ascii: 173.254.250.72

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49727	34.160.111.145	80	1396	C:\Windows\System32\curl.exe

Timestamp	Bytes transferred	Direction	Data
Nov 10, 2024 17:25:19.380078077 CET	75	OUT	GET / HTTP/1.1 Host: ifconfig.me User-Agent: curl/7.83.1 Accept: /
Nov 10, 2024 17:25:20.006977081 CET	165	IN	HTTP/1.1 200 OK date: Sun, 10 Nov 2024 16:25:19 GMT content-type: text/plain Content-Length: 14 access-control-allow-origin: * via: 1.1 google Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 Data Ascii: 173.254.250.72

Target ID:	0
Start time:	11:24:54
Start date:	10/11/2024
Path:	C:\Users\user\Desktop\Creal.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Creal.exe"
Imagebase:	0x7ff77a800000
File size:	16'912'015 bytes
MD5 hash:	017603B860F67F7F65F724E519465926
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	11:24:56
Start date:	10/11/2024
Path:	C:\Users\user\Desktop\Creal.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Creal.exe"
Imagebase:	0x7ff77a800000
File size:	16'912'015 bytes
MD5 hash:	017603B860F67F7F65F724E519465926
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000002.00000002.3274927958.000002710E510000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	11:24:57
Start date:	10/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl ifconfig.me"
Imagebase:	0x7ff765be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:24:57
Start date:	10/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:24:57
Start date:	10/11/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl ifconfig.me
Imagebase:	0x7ff6a3070000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:25:13
Start date:	10/11/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe"
Imagebase:	0x7ff6a11c0000
File size:	16'912'015 bytes
MD5 hash:	017603B860F67F7F65F724E519465926
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	11:25:16
Start date:	10/11/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe"
Imagebase:	0x7ff6a11c0000
File size:	16'912'015 bytes
MD5 hash:	017603B860F67F7F65F724E519465926
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000008.00000003.2241184493.0000019819C94000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000008.00000003.2240741453.0000019819C93000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CrealStealer, Description: Yara detected Creal Stealer, Source: 00000008.00000002.3274781930.000001981A390000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	11:25:17
Start date:	10/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl ifconfig.me"
Imagebase:	0x7ff765be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:25:17
Start date:	10/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:25:17
Start date:	10/11/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl ifconfig.me
Imagebase:	0x7ff6a3070000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	34

Executed Functions

Function 00007FF77A8089E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF77A809390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF77A8045F4,00000000,00007FF77A801985), ref: 00007FF77A8093C9

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF77A803F7F), ref: 00007FF77A808A3B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF77A803F7F), ref: 00007FF77A808A56

Part of subcall function 00007FF77A81A47C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77A81A490

Part of subcall function 00007FF77A81871C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77A818783

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF77A803F7F), ref: 00007FF77A808AE6
CreateProcessW.KERNELBASE ref: 00007FF77A808B1E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF77A803F7F), ref: 00007FF77A808B28

Part of subcall function 00007FF77A802C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF77A803706,?,00007FF77A803804), ref: 00007FF77A802C9E
Part of subcall function 00007FF77A802C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF77A803706,?,00007FF77A803804), ref: 00007FF77A802D63
Part of subcall function 00007FF77A802C50: MessageBoxW.USER32 ref: 00007FF77A802D99

RegisterClassW.USER32 ref: 00007FF77A808B80
GetLastError.KERNEL32(?,FFFFFFFF,00007FF77A803F7F), ref: 00007FF77A808B8B
CreateWindowExW.USER32 ref: 00007FF77A808BD5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF77A803F7F), ref: 00007FF77A808BE7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF77A803F7F), ref: 00007FF77A808C02
GetLastError.KERNEL32(?,FFFFFFFF,00007FF77A803F7F), ref: 00007FF77A808C15
PeekMessageW.USER32 ref: 00007FF77A808C39
TranslateMessage.USER32 ref: 00007FF77A808C47
DispatchMessageW.USER32(?,FFFFFFFF,00007FF77A803F7F), ref: 00007FF77A808C51
PeekMessageW.USER32 ref: 00007FF77A808C6C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF77A803F7F), ref: 00007FF77A808C7E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF77A803F7F), ref: 00007FF77A808C99
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF77A803F7F), ref: 00007FF77A808CAF
GetLastError.KERNEL32(?,FFFFFFFF,00007FF77A803F7F), ref: 00007FF77A808CB9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF77A803F7F), ref: 00007FF77A808CC7
DestroyWindow.USER32(?,FFFFFFFF,00007FF77A803F7F), ref: 00007FF77A808E04
GetExitCodeProcess.KERNEL32 ref: 00007FF77A808E19
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF77A803F7F), ref: 00007FF77A808E22
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF77A803F7F), ref: 00007FF77A808E2F

Strings

PyInstaller Onefile Hidden Window, xrefs: 00007FF77A808B95
Failed to create child process!, xrefs: 00007FF77A808B30
CreateProcessW, xrefs: 00007FF77A808B37
PyInstallerOnefileHiddenWindow, xrefs: 00007FF77A808B54

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction ID: d2734a3dbce7b3e8d001db72abf59fa02c8e0f072cc4728fa78ad69183950cc2
Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction Fuzzy Hash: 05D14033A39A8286F711AF34E8582BAF7A0FB48758F804275DA5D43AA4DF3CD5648710

Function 00007FF77A801000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF77A803882, 00007FF77A8038AF
pyi-contents-directory, xrefs: 00007FF77A803B8D
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF77A803BE8
Failed to convert DLL search path!, xrefs: 00007FF77A803DDC
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF77A803D12
pyi-runtime-tmpdir, xrefs: 00007FF77A803B68
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF77A8039DE
Failed to load splash screen resources!, xrefs: 00007FF77A803E85
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF77A803E0A
pyi-python-flag, xrefs: 00007FF77A803AD6
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF77A803D35
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF77A803971
VCRUNTIME140.dll, xrefs: 00007FF77A803DB1
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF77A803A17, 00007FF77A803A2F, 00007FF77A803A9B
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF77A803B32
_PYI_SPLASH_IPC, xrefs: 00007FF77A803A23, 00007FF77A803EF5
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF77A803EBB
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF77A803EA6
Failed to start splash screen!, xrefs: 00007FF77A803ED4
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF77A803C61
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF77A803A0B, 00007FF77A803CD4, 00007FF77A803F6B
pkg, xrefs: 00007FF77A8039BE
Could not create temporary directory!, xrefs: 00007FF77A803CBF
_PYI_ARCHIVE_FILE, xrefs: 00007FF77A8038D2, 00007FF77A8039FF
MEI, xrefs: 00007FF77A803933
Failed to remove temporary directory: %s, xrefs: 00007FF77A803FCF
Py_GIL_DISABLED, xrefs: 00007FF77A803AF4
pyi-disable-windowed-traceback, xrefs: 00007FF77A803BB2

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: 824ed701c3c560fed3adc96ede838a2023945a6ada8c955277e175104ca074ca
Instruction ID: c9b8a401d84b71e2fcb48cc5b43b39384e40f64dec1ff4a864cff88abcc38a76
Opcode Fuzzy Hash: 824ed701c3c560fed3adc96ede838a2023945a6ada8c955277e175104ca074ca
Instruction Fuzzy Hash: CF328D63A38A8291FB1BB725D5552BAE6D1EF44780FC440B6DA4D422F6EF2CE574C320

Function 00007FF77A825C00 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF77A825C45

Part of subcall function 00007FF77A825598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77A8255AC

Part of subcall function 00007FF77A81A948: RtlFreeHeap.NTDLL(?,?,?,00007FF77A822D22,?,?,?,00007FF77A822D5F,?,?,00000000,00007FF77A823225,?,?,?,00007FF77A823157), ref: 00007FF77A81A95E
Part of subcall function 00007FF77A81A948: GetLastError.KERNEL32(?,?,?,00007FF77A822D22,?,?,?,00007FF77A822D5F,?,?,00000000,00007FF77A823225,?,?,?,00007FF77A823157), ref: 00007FF77A81A968

Part of subcall function 00007FF77A81A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF77A81A8DF,?,?,?,?,?,00007FF77A81A7CA), ref: 00007FF77A81A909
Part of subcall function 00007FF77A81A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF77A81A8DF,?,?,?,?,?,00007FF77A81A7CA), ref: 00007FF77A81A92E

_get_daylight.LIBCMT ref: 00007FF77A825C34

Part of subcall function 00007FF77A8255F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77A82560C

_get_daylight.LIBCMT ref: 00007FF77A825EAA
_get_daylight.LIBCMT ref: 00007FF77A825EBB
_get_daylight.LIBCMT ref: 00007FF77A825ECC
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF77A82610C), ref: 00007FF77A825EF3

Strings

Eastern Standard Time, xrefs: 00007FF77A825F99
Eastern Summer Time, xrefs: 00007FF77A825FB1

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction ID: ac35fc0822cc96aaa4e45162bd4fe6afd783e54cfd4d17a61a5d0dd104b23451
Opcode Fuzzy Hash: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction Fuzzy Hash: 1ED1D127A3824246F72ABF21D8411B9E751FF84794FC48276EA0D476E5EF3CE4618760

Function 00007FF77A826964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF77A826698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77A8266D9
Part of subcall function 00007FF77A826698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77A826757
Part of subcall function 00007FF77A826698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77A8267A8

CreateFileW.KERNELBASE ref: 00007FF77A826A6A
CreateFileW.KERNEL32 ref: 00007FF77A826ABA
GetLastError.KERNEL32 ref: 00007FF77A826AEA
GetFileType.KERNELBASE ref: 00007FF77A826AFF
GetLastError.KERNEL32 ref: 00007FF77A826B09
CloseHandle.KERNEL32 ref: 00007FF77A826B3C
CloseHandle.KERNEL32 ref: 00007FF77A826C9F
CreateFileW.KERNEL32 ref: 00007FF77A826CD4
GetLastError.KERNEL32 ref: 00007FF77A826CE3

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: 1eae22ca7cdb0205b4883194a906c2ce7cca20ce3a418606e81f6a8b61932562
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: DEC18C33A38A4686FB11EF65C4906BCB761E749BA8B814279DA1E577E4DF38D061C310

Function 00007FF77A825E7C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF77A825EAA

Part of subcall function 00007FF77A8255F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77A82560C

_get_daylight.LIBCMT ref: 00007FF77A825EBB

Part of subcall function 00007FF77A825598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77A8255AC

_get_daylight.LIBCMT ref: 00007FF77A825ECC

Part of subcall function 00007FF77A8255C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77A8255DC

Part of subcall function 00007FF77A81A948: RtlFreeHeap.NTDLL(?,?,?,00007FF77A822D22,?,?,?,00007FF77A822D5F,?,?,00000000,00007FF77A823225,?,?,?,00007FF77A823157), ref: 00007FF77A81A95E
Part of subcall function 00007FF77A81A948: GetLastError.KERNEL32(?,?,?,00007FF77A822D22,?,?,?,00007FF77A822D5F,?,?,00000000,00007FF77A823225,?,?,?,00007FF77A823157), ref: 00007FF77A81A968

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF77A82610C), ref: 00007FF77A825EF3

Strings

Eastern Standard Time, xrefs: 00007FF77A825F99
Eastern Summer Time, xrefs: 00007FF77A825FB1

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction ID: cfa0a692a2d4eefcbee3b4cb1c181cc40364cce5fcf0acfd54bf3f5229086ca8
Opcode Fuzzy Hash: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction Fuzzy Hash: 4F516C33A3864286F716EF21E9811B9E360FB48794FC042B6EA4D476E5DF3CE4618760

Function 00007FF77A809280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF77A8092B3
FindClose.KERNELBASE ref: 00007FF77A8092C2

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: c07d237357ad059ed8afe6ae591b2179998d84a6897a83ed5549c4517b96ae90
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: 37F0A423A3964286F7619B64B498766F390BB84724F840235E9BD02AE4DF3CD0688A00

Function 00007FF77A8208C8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction ID: 8a2f76f307352e1cc7ed3e4492f6525b6a99933c2c3b2ce7cae005c02ea4f00c
Opcode Fuzzy Hash: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction Fuzzy Hash: D7029623A3D64645FA57BB119410279EAA0AF41BA0FC546B5DD7D4B3F2EE3CE8618330

Function 00007FF77A801950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF77A807F90: _fread_nolock.LIBCMT ref: 00007FF77A80803A

_fread_nolock.LIBCMT ref: 00007FF77A801A1B

Part of subcall function 00007FF77A802910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF77A801B6A), ref: 00007FF77A80295E

Strings

Could not read full TOC!, xrefs: 00007FF77A801B55
Could not allocate buffer for TOC!, xrefs: 00007FF77A801B1B
fread, xrefs: 00007FF77A801A32, 00007FF77A801B5C
calloc, xrefs: 00007FF77A801A68
MEI, xrefs: 00007FF77A801991
Failed to seek to cookie position!, xrefs: 00007FF77A8019EE
fseek, xrefs: 00007FF77A8019F5
malloc, xrefs: 00007FF77A801B22
Failed to read cookie!, xrefs: 00007FF77A801A2B
Could not allocate memory for archive structure!, xrefs: 00007FF77A801A61
Error on file., xrefs: 00007FF77A801B8D

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: bcbc45470d282000346a2dbbd26572b59944004f25f427ec07b9d33b56543599
Instruction ID: 101b192b7f60a15506a12e8ce980da7159b136c8d8aee5a4eec3a2e338dd3992
Opcode Fuzzy Hash: bcbc45470d282000346a2dbbd26572b59944004f25f427ec07b9d33b56543599
Instruction Fuzzy Hash: 2E81E573A3D68286F722EB14D0452BAE3E0EF48780FC44475D98D437A5EE3CE5A58760

Function 00007FF77A801600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to create symbolic link %s!, xrefs: 00007FF77A801622
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF77A8017DF
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF77A801742
Failed to extract %s: failed to open target file!, xrefs: 00007FF77A80165C
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF77A8016DA
Failed to extract %s: failed to open archive file!, xrefs: 00007FF77A8016A2
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF77A8017CA
fwrite, xrefs: 00007FF77A8017D1
fread, xrefs: 00007FF77A8017E6
fseek, xrefs: 00007FF77A8016E1
malloc, xrefs: 00007FF77A801749
fopen, xrefs: 00007FF77A801663

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 072a8e60094502cab9b96734686b7b67598e91e59fbdaf3113bd79295414d11d
Instruction ID: e0d1c295cd9e3351addf16b3b90fcf1ead9f2af79eb91b0b93bf90da49bbaccb
Opcode Fuzzy Hash: 072a8e60094502cab9b96734686b7b67598e91e59fbdaf3113bd79295414d11d
Instruction Fuzzy Hash: C3519C63A3964682FA12BB1198001BAE3A0BF447A4FC445B5EE1C477F6EE3CE5758360

Function 00007FF77A808660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF77A803CBB), ref: 00007FF77A808704
GetCurrentProcessId.KERNEL32(?,00000000,00007FF77A803CBB), ref: 00007FF77A80870A
CreateDirectoryW.KERNELBASE(?,00000000,00007FF77A803CBB), ref: 00007FF77A80874C

Part of subcall function 00007FF77A808830: GetEnvironmentVariableW.KERNEL32(00007FF77A80388E), ref: 00007FF77A808867
Part of subcall function 00007FF77A808830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF77A808889

Part of subcall function 00007FF77A818238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77A818251

Part of subcall function 00007FF77A802810: MessageBoxW.USER32 ref: 00007FF77A8028EA

Strings

LOADER: failed to set the TMP environment variable., xrefs: 00007FF77A8086DC
_MEI%d, xrefs: 00007FF77A808712
TMP, xrefs: 00007FF77A8086C2
TMP, xrefs: 00007FF77A80869C, 00007FF77A8087A3
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF77A80877E

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction ID: cdd9c80505c6736a6e7e6a8b0842b6f864d385dbf36898f7555b925f136e80c3
Opcode Fuzzy Hash: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction Fuzzy Hash: DE41B113A3A64244FA16B72198552BAE290AF487C0FC404B5ED0D477FAEE3CE4A1C760

Function 00007FF77A801210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF77A80141E
1.3.1, xrefs: 00007FF77A801249
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF77A801276
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF77A8012EF
malloc, xrefs: 00007FF77A8012C1, 00007FF77A8012F6
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF77A8012BA

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: c68ada16c8054f5beab9184a2d33c9fb43cd0d4882f5edf9030f6e60bcef94b6
Instruction ID: feceda8afeee949dc02d32abde7a03b7c39a5d7e83b2211dd0310cb5e60656cd
Opcode Fuzzy Hash: c68ada16c8054f5beab9184a2d33c9fb43cd0d4882f5edf9030f6e60bcef94b6
Instruction Fuzzy Hash: 8551CF23A39A4285F622BB11E4003BAE2D1BF847A4FC84575EE4D477E5EE3CE4618720

Function 00007FF77A8036B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF77A803804), ref: 00007FF77A8036E1
GetLastError.KERNEL32(?,00007FF77A803804), ref: 00007FF77A8036EB

Part of subcall function 00007FF77A802C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF77A803706,?,00007FF77A803804), ref: 00007FF77A802C9E
Part of subcall function 00007FF77A802C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF77A803706,?,00007FF77A803804), ref: 00007FF77A802D63
Part of subcall function 00007FF77A802C50: MessageBoxW.USER32 ref: 00007FF77A802D99

Strings

GetModuleFileNameW, xrefs: 00007FF77A8036FA
Failed to resolve full path to executable %ls., xrefs: 00007FF77A803739
Failed to obtain executable path., xrefs: 00007FF77A8036F3
\\?\, xrefs: 00007FF77A80375A
Failed to convert executable path to UTF-8., xrefs: 00007FF77A803790

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: dc3ca2f4c4b5dcfbcebf957f030a81dd1569d1837a67c2a48419cdf701f5e186
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: 592156A3F3854251FA27B724E8153B7E290BF88354FC04176E65D865F5EE2CE524C760

Function 00007FF77A81BA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A81BE89

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1c0df5e74df0118619baac061aee596465bcef498cfc928fc9eaa168a483e3b3
Instruction ID: 294c4569b739a5326916fd4b1a06613f8b7ee3af8f6c7e39521050f1ef2ac7e3
Opcode Fuzzy Hash: 1c0df5e74df0118619baac061aee596465bcef498cfc928fc9eaa168a483e3b3
Instruction Fuzzy Hash: 4DC1132393C68681F762BB15D0486BDEB50EB81B80FD909B9EA4D073B1DE7CE4658720

Function 00007FF77A808570 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF77A808590
OpenProcessToken.ADVAPI32 ref: 00007FF77A8085A3
GetTokenInformation.KERNELBASE ref: 00007FF77A8085C8
GetLastError.KERNEL32 ref: 00007FF77A8085D2
GetTokenInformation.KERNELBASE ref: 00007FF77A808612
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF77A80862E
CloseHandle.KERNEL32 ref: 00007FF77A808646

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction ID: c35c33ec9d09fdcaa78eea8cb519ba6bb8b6cc9114f2af9c7f5535f8639c8815
Opcode Fuzzy Hash: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction Fuzzy Hash: 3E216F32A2C64242FA11AB55F44823AE3E0FB857A1F900275EA6C43BF4DE6CD4958710

Function 00007FF77A8090E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF77A808570: GetCurrentProcess.KERNEL32 ref: 00007FF77A808590
Part of subcall function 00007FF77A808570: OpenProcessToken.ADVAPI32 ref: 00007FF77A8085A3
Part of subcall function 00007FF77A808570: GetTokenInformation.KERNELBASE ref: 00007FF77A8085C8
Part of subcall function 00007FF77A808570: GetLastError.KERNEL32 ref: 00007FF77A8085D2
Part of subcall function 00007FF77A808570: GetTokenInformation.KERNELBASE ref: 00007FF77A808612
Part of subcall function 00007FF77A808570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF77A80862E
Part of subcall function 00007FF77A808570: CloseHandle.KERNEL32 ref: 00007FF77A808646

LocalFree.KERNEL32(?,00007FF77A803C55), ref: 00007FF77A80916C
LocalFree.KERNEL32(?,00007FF77A803C55), ref: 00007FF77A809175

Strings

D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF77A809142
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF77A809183
S-1-3-4, xrefs: 00007FF77A809121
D:(A;;FA;;;%s), xrefs: 00007FF77A809157

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 5ed7a9ba3e6ce910408607b93085540bd422a8d0f9e00f9f84049ca226c14b37
Instruction ID: 3ffa6e5ad312ad952902d156d5fc651024efd704d84b7e6b4fcbcf8c9b439c9e
Opcode Fuzzy Hash: 5ed7a9ba3e6ce910408607b93085540bd422a8d0f9e00f9f84049ca226c14b37
Instruction Fuzzy Hash: 6F212B62A39A4281F712BB20E4153FAF6A4FB98780FC44075EA4D437E6DE3CD8658760

Function 00007FF77A807E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(00000000,?,00007FF77A80352C,?,00000000,00007FF77A803F23), ref: 00007FF77A807F32

Strings

\, xrefs: 00007FF77A807E97
%s%c, xrefs: 00007FF77A807EA4
%.*s, xrefs: 00007FF77A807EEB

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
Instruction ID: 2dbb1c8ba366e879c4f04483dbdbff2edabab9a19b7643cc438afe82b4db32cd
Opcode Fuzzy Hash: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
Instruction Fuzzy Hash: 3C31D862639AC145FA22AB20E4103BBE394FF84BE0F840271EA6D477E5DE2CD6558B10

Function 00007FF77A81CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF77A81CF4B), ref: 00007FF77A81D07C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF77A81CF4B), ref: 00007FF77A81D107

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction ID: 6319ca2a6a984e6fd72753036ab9f418c742a1d846977d609a01284a5ad9e234
Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction Fuzzy Hash: 2C91F263E3965189F762AF25C4403BDEBA0AB44B88F94457DDE4E526A4CF3CE462C320

Function 00007FF77A81F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF77A81FA7C
_get_daylight.LIBCMT ref: 00007FF77A81FA8D
_get_daylight.LIBCMT ref: 00007FF77A81FA9E
_isindst.LIBCMT ref: 00007FF77A81FB69

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: a1f9aba6f192f67fbef0d027612362ec3b78d16d88ee3134cd255a9fa557d71f
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: A9512773F3411186FB15EF64D9A12BCE761AB04368F90067ADE1E52AF5DB3CA812C710

Function 00007FF77A81577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF77A8157AF
GetFileInformationByHandle.KERNELBASE ref: 00007FF77A815811
GetLastError.KERNEL32 ref: 00007FF77A8158A2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF77A8156B4), ref: 00007FF77A8158EE

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: f2931e55a17fed7c801103cab28c1f7fd047901bf7fa79ea6702d423310ad099
Instruction ID: 2bfc6a4982d2fbe61464c657a41e2126d9d8b4129f620905b06ae0b06cc2e6ca
Opcode Fuzzy Hash: f2931e55a17fed7c801103cab28c1f7fd047901bf7fa79ea6702d423310ad099
Instruction Fuzzy Hash: BD51BE23E386418AFB15EF74D4503BDE7A1EB48B58F944A39DE0D476A8DF38D4608320

Function 00007FF77A815628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A815655
CreateFileW.KERNELBASE ref: 00007FF77A815694
CloseHandle.KERNEL32 ref: 00007FF77A8156C9

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
Instruction ID: 4905f0c8663b86e07139a34ac13c9e468399e5e3ae57f12b7f41cc31f2f6449f
Opcode Fuzzy Hash: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
Instruction Fuzzy Hash: D041B223D3878183F715AB24D554379E360FB947A4F908B79E69C03AE1EF6CA0B08760

Function 00007FF77A80CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77A80CE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF77A80CE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF77A80CC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF77A80CCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF77A80CD21

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: 21e00b564d5c23ae99c6fcd178a7b928a25528813e7f45eb005624276fd59879
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: 99314863E3914345FA56BF64D4513BAE6C2AF91384FC454B8E94E4B2F3DE2CB8248271

Function 00007FF77A81013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A810180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A810277

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: 3381eb0b30c2518f15c624f148ba55c715fda8d78f8c28d0e59450c16b215f82
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: 09513D63B3924186F726BA25DC00679E2A1BF40BA4FA84F79DD7D073E5CE3CD5218620

Function 00007FF77A81C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF77A81C2CD), ref: 00007FF77A81C180
GetLastError.KERNEL32(?,?,?,?,?,00007FF77A81C2CD), ref: 00007FF77A81C18A

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: 37c75212ba77c0adf9e7d71258180011070f22f752bf74efc432ccb620d8a956
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: 6C11E2A2A38A8181FA21AB25F804069E361AB45FF0F944775EEBD077E8CE7CD4208700

Function 00007FF77A815924 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF77A815839), ref: 00007FF77A815957
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF77A815839), ref: 00007FF77A81596D

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
Instruction ID: 900ee0ac168eb1595a10cc38793e03418d488f4df21424b9c3825c0464efff4c
Opcode Fuzzy Hash: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
Instruction Fuzzy Hash: 5C11606263C60282FA556B18E45113AE7A0FB85771F90077AE699819E8FB2CD424DB20

Function 00007FF77A81A948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF77A822D22,?,?,?,00007FF77A822D5F,?,?,00000000,00007FF77A823225,?,?,?,00007FF77A823157), ref: 00007FF77A81A95E
GetLastError.KERNEL32(?,?,?,00007FF77A822D22,?,?,?,00007FF77A822D5F,?,?,00000000,00007FF77A823225,?,?,?,00007FF77A823157), ref: 00007FF77A81A968

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction ID: 33722db6e80e25d6dd6a31c4352bac876c39156791f6851ae26aa8bf8e64f8d9
Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction Fuzzy Hash: F6E04F52E3920242FE1B7BF1D449178D2519F88740FC444B8C81D463B1EE2C68A18630

Function 00007FF77A81AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF77A81A9D5,?,?,00000000,00007FF77A81AA8A), ref: 00007FF77A81ABC6
GetLastError.KERNEL32(?,?,?,00007FF77A81A9D5,?,?,00000000,00007FF77A81AA8A), ref: 00007FF77A81ABD0

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: 02fb136fe5091d86f27270c48c026a272e2db555cc345cc8896971a822265fd4
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: CA21C913F3C68241FB52B7A1D495379D2829F84790FC84ABDD91E4B7F1DE6CA4614321

Function 00007FF77A81BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A81BED4

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cbeb3b5568c01fe22c816fd393b22aefbfa64644ae8ce1fe3b0dc090283c3b2e
Instruction ID: f084e5fabae78cc5b1cd832dbcbb29da0c58c5b9ecff782c7b2e64e70d844b63
Opcode Fuzzy Hash: cbeb3b5568c01fe22c816fd393b22aefbfa64644ae8ce1fe3b0dc090283c3b2e
Instruction Fuzzy Hash: B441D63393824587FA36BB19E544279F3A1EB55740F900979D68E877E1CF2CE412CBA0

Function 00007FF77A807F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF77A80803A

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 7b0bfe6dda5be6348f5dea9afb2976fe88cae53a5ed3d6ba0ce225c2e8636390
Instruction ID: c2638cba8e3e8b660c25bf26fdd8244c5d1e1aadf984116b423b26e671d7c7db
Opcode Fuzzy Hash: 7b0bfe6dda5be6348f5dea9afb2976fe88cae53a5ed3d6ba0ce225c2e8636390
Instruction Fuzzy Hash: B021A222F3965146FA12BA22A8043BAE691FF45BD4FC84474EE4C07796DE7DE0A1C710

Function 00007FF77A81B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A81B9C2

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction ID: 89ed4ce91801f307756f44e9e98e6091102c2da616bd75dd0456b28a38f3a2ac
Opcode Fuzzy Hash: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction Fuzzy Hash: 53318263A3860285F712BB65C44537CE690AF80BA0FC509B9E91D473F2EE7CA4628731

Function 00007FF77A815F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A815EF9

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 254f15a2de302633862c4e8122464e7de0eec829bcf4d63e3fb2a8442c9e1b61
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: 24119323A3C64181FA66BF15D40057DE260BF85B84FC4497AEA4C57BB6DF3CD4218760

Function 00007FF77A826354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A826377

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: 93f2fd84a85ebaf7d53d671dab79c91862768b5b535a971015819aa69830c9fd
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: D9215373638A8187FB62AF18D440379F6A0FB84B54F944278EA5D476E9DF3CD4218B11

Function 00007FF77A8103BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A810410

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 11e5c9f6f094a63acc25ac2868b35eb1229267e440e59b12c8e9ac801a6ea618
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 0601A562B3874540F505EF52D940079E6A1BF85FE4F984AB5DE6C17BE6CE3CE4218310

Function 00007FF77A817EFC Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A817F3A

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb4e03bbc0b04cbc85d5aa4284f536322b5632f0a5d263bd1b62b358e696f9c3
Instruction ID: 129fd5d138f262137d4d98a69cfe374164356edf69171912149a9230096ddcad
Opcode Fuzzy Hash: eb4e03bbc0b04cbc85d5aa4284f536322b5632f0a5d263bd1b62b358e696f9c3
Instruction Fuzzy Hash: 43015B22E3D68240FA527B21E54117AD690AF40790FD44ABDEA1D826E6EE2CA8614A60

Function 00007FF77A818238 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A818251

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction ID: 18f322f6190feb8a6d6c7e582518a1a039a29413075c1451850aa2648535eca1
Opcode Fuzzy Hash: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction Fuzzy Hash: 82E08C92E3C60287FA133AA4C4821B8D0208FA5341FD40CBCEE080B3E3ED6C68755632

Function 00007FF77A81EB98 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF77A81B32A,?,?,?,00007FF77A814F11,?,?,?,?,00007FF77A81A48A), ref: 00007FF77A81EBED

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction ID: 26fa68152a3d74bdcf8c8e84eda68af09fbfcb2efce683c8e836d11bc3b2f0e5
Opcode Fuzzy Hash: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction Fuzzy Hash: 32F06256B3920282FF5B7665D8952B4D2819F88B80FCC4DB9C90F563F1ED1CE4A14230

Function 00007FF77A81D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF77A810C90,?,?,?,00007FF77A8122FA,?,?,?,?,?,00007FF77A813AE9), ref: 00007FF77A81D63A

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: 9606e93d1a7ee6e7d2b5fa7c6bf37729a4ad572d2139d74065498f854143a984
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: 8FF05E22F3A20245FE663771D805774D2908F847A0FC80BB8DC2E462E2DF2CA4A081B0

Non-executed Functions

Function 00007FF77A805830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF77A8064CF,?,00007FF77A80336E), ref: 00007FF77A805840
GetLastError.KERNEL32(?,00007FF77A8064CF,?,00007FF77A80336E), ref: 00007FF77A805852
GetProcAddress.KERNEL32(?,00007FF77A8064CF,?,00007FF77A80336E), ref: 00007FF77A805889
GetLastError.KERNEL32(?,00007FF77A8064CF,?,00007FF77A80336E), ref: 00007FF77A80589B
GetProcAddress.KERNEL32(?,00007FF77A8064CF,?,00007FF77A80336E), ref: 00007FF77A8058B4
GetLastError.KERNEL32(?,00007FF77A8064CF,?,00007FF77A80336E), ref: 00007FF77A8058C6
GetProcAddress.KERNEL32(?,00007FF77A8064CF,?,00007FF77A80336E), ref: 00007FF77A8058DF
GetLastError.KERNEL32(?,00007FF77A8064CF,?,00007FF77A80336E), ref: 00007FF77A8058F1
GetProcAddress.KERNEL32(?,00007FF77A8064CF,?,00007FF77A80336E), ref: 00007FF77A80590D
GetLastError.KERNEL32(?,00007FF77A8064CF,?,00007FF77A80336E), ref: 00007FF77A80591F
GetProcAddress.KERNEL32(?,00007FF77A8064CF,?,00007FF77A80336E), ref: 00007FF77A80593B
GetLastError.KERNEL32(?,00007FF77A8064CF,?,00007FF77A80336E), ref: 00007FF77A80594D
GetProcAddress.KERNEL32(?,00007FF77A8064CF,?,00007FF77A80336E), ref: 00007FF77A805969
GetLastError.KERNEL32(?,00007FF77A8064CF,?,00007FF77A80336E), ref: 00007FF77A80597B
GetProcAddress.KERNEL32(?,00007FF77A8064CF,?,00007FF77A80336E), ref: 00007FF77A805997
GetLastError.KERNEL32(?,00007FF77A8064CF,?,00007FF77A80336E), ref: 00007FF77A8059A9
GetProcAddress.KERNEL32(?,00007FF77A8064CF,?,00007FF77A80336E), ref: 00007FF77A8059C5
GetLastError.KERNEL32(?,00007FF77A8064CF,?,00007FF77A80336E), ref: 00007FF77A8059D7

Strings

PyObject_GetAttrString, xrefs: 00007FF77A805D53, 00007FF77A805D75
PyConfig_InitIsolatedConfig, xrefs: 00007FF77A8059BB, 00007FF77A8059DD
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF77A805DDD, 00007FF77A805DFF
PyRun_SimpleStringFlags, xrefs: 00007FF77A805E0B, 00007FF77A805E2D
PyUnicode_AsUTF8, xrefs: 00007FF77A805EC3, 00007FF77A805EE5
PyErr_Restore, xrefs: 00007FF77A805B87, 00007FF77A805BA9
Py_DecRef, xrefs: 00007FF77A805836, 00007FF77A805858
Py_Finalize, xrefs: 00007FF77A8058D5, 00007FF77A8058F7
PyErr_NormalizeException, xrefs: 00007FF77A805AFD, 00007FF77A805B1F
PySys_GetObject, xrefs: 00007FF77A805E67, 00007FF77A805E89
PyErr_Fetch, xrefs: 00007FF77A805ACF, 00007FF77A805AF1
PyImport_ExecCodeModule, xrefs: 00007FF77A805C11, 00007FF77A805C33
PyStatus_Exception, xrefs: 00007FF77A805E39, 00007FF77A805E5B
Py_IsInitialized, xrefs: 00007FF77A805931, 00007FF77A805953
PyErr_Clear, xrefs: 00007FF77A805AA1, 00007FF77A805AC3
PyMarshal_ReadObjectFromString, xrefs: 00007FF77A805C6D, 00007FF77A805C8F
Py_DecodeLocale, xrefs: 00007FF77A80587F, 00007FF77A8058A1
PyImport_ImportModule, xrefs: 00007FF77A805C3F, 00007FF77A805C61
PyUnicode_DecodeFSDefault, xrefs: 00007FF77A805F1F, 00007FF77A805F41
PyModule_GetDict, xrefs: 00007FF77A805CC9, 00007FF77A805CEB
PyErr_Occurred, xrefs: 00007FF77A805B2B, 00007FF77A805B4D
PyObject_CallFunction, xrefs: 00007FF77A805CF7, 00007FF77A805D19
PyObject_SetAttrString, xrefs: 00007FF77A805D81, 00007FF77A805DA3
Py_ExitStatusException, xrefs: 00007FF77A8058AA, 00007FF77A8058CC
PyConfig_SetBytesString, xrefs: 00007FF77A805A17, 00007FF77A805A39
PyObject_Str, xrefs: 00007FF77A805DAF, 00007FF77A805DD1
PySys_SetObject, xrefs: 00007FF77A805E95, 00007FF77A805EB7
PyConfig_SetWideStringList, xrefs: 00007FF77A805A73, 00007FF77A805A95
GetProcAddress, xrefs: 00007FF77A805868
PyUnicode_Replace, xrefs: 00007FF77A805FD7, 00007FF77A805FF9
PyConfig_Clear, xrefs: 00007FF77A80598D, 00007FF77A8059AF
Py_InitializeFromConfig, xrefs: 00007FF77A805903, 00007FF77A805925
PyUnicode_Decode, xrefs: 00007FF77A805EF1, 00007FF77A805F13
PyUnicode_Join, xrefs: 00007FF77A805FA9, 00007FF77A805FCB
PyUnicode_FromString, xrefs: 00007FF77A805F7B, 00007FF77A805F9D
Py_PreInitialize, xrefs: 00007FF77A80595F, 00007FF77A805981
PyImport_AddModule, xrefs: 00007FF77A805BE3, 00007FF77A805C05
PyMem_RawFree, xrefs: 00007FF77A805C9B, 00007FF77A805CBD
Failed to get address for %hs, xrefs: 00007FF77A805861
PyConfig_SetString, xrefs: 00007FF77A805A45, 00007FF77A805A67
PyEval_EvalCode, xrefs: 00007FF77A805BB5, 00007FF77A805BD7
PyUnicode_FromFormat, xrefs: 00007FF77A805F4D, 00007FF77A805F6F
PyObject_CallFunctionObjArgs, xrefs: 00007FF77A805D25, 00007FF77A805D47
PyErr_Print, xrefs: 00007FF77A805B59, 00007FF77A805B7B
PyConfig_Read, xrefs: 00007FF77A8059E9, 00007FF77A805A0B

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction ID: 7326cdb9c1335452e9e315c305abec447eea85ec1947ead0023813a47ce0facd
Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction Fuzzy Hash: 9722ACA6D7AB0791FA57BB55A8145B6E3A0AF08745FD491B5C81E023F0EF3CB1788270

Function 00007FF77A8240AC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF77A8240FA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A824766
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A8248DC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A824B9A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A824DBA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A824FF7
memcpy_s.LIBCPMT ref: 00007FF77A8250D2
memcpy_s.LIBCPMT ref: 00007FF77A82517D
memcpy_s.LIBCPMT ref: 00007FF77A82524C

Strings

1#IND, xrefs: 00007FF77A8241E7
1#QNAN, xrefs: 00007FF77A824213
1#INF, xrefs: 00007FF77A824223
1#SNAN, xrefs: 00007FF77A82420A

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction ID: 1485e90d974f1f6b9c0587ab0fe07253fdd90affbbe6cd9ce16beafeec501040
Opcode Fuzzy Hash: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction Fuzzy Hash: A7B2E173E382828BF7269E64D4407FDF7A1FB44388F945175DA0A57AE4DB38A910CB60

Function 00007FF77A8083C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF77A808919,00007FF77A803FA5), ref: 00007FF77A80842B
RemoveDirectoryW.KERNEL32(?,00007FF77A808919,00007FF77A803FA5), ref: 00007FF77A8084AE
DeleteFileW.KERNEL32(?,00007FF77A808919,00007FF77A803FA5), ref: 00007FF77A8084CD
FindNextFileW.KERNEL32(?,00007FF77A808919,00007FF77A803FA5), ref: 00007FF77A8084DB
FindClose.KERNEL32(?,00007FF77A808919,00007FF77A803FA5), ref: 00007FF77A8084EC
RemoveDirectoryW.KERNEL32(?,00007FF77A808919,00007FF77A803FA5), ref: 00007FF77A8084F5

Strings

%s\*, xrefs: 00007FF77A8083F2

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction ID: 418e3d85265cee89c0a7c84531411ad0008da5ff92d229661ea56057dba09ce7
Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction Fuzzy Hash: A4416423A3DA4285FA21BF64E4481BBF3A0FB94755FC00272D59D426E4EF3CD5A58750

Function 00007FF77A80ACAD Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid literal/lengths set, xrefs: 00007FF77A80B133
invalid distance too far back, xrefs: 00007FF77A80B670
invalid distance code, xrefs: 00007FF77A80B5B4
invalid literal/length code, xrefs: 00007FF77A80B3E2
invalid distances set, xrefs: 00007FF77A80B1A0
invalid code -- missing end-of-block, xrefs: 00007FF77A80B0C6
invalid code lengths set, xrefs: 00007FF77A80AE2D
too many length or distance symbols, xrefs: 00007FF77A80AE46
invalid bit length repeat, xrefs: 00007FF77A80B099

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 55880860ec2df9374ed9e05eb7c1f9660e2769407a38999da05ffb99d6c3dc89
Instruction ID: 6faa48165d22ea3bbe8426053fb50c7ed1c98468257f83f477a40dafe3c7ed62
Opcode Fuzzy Hash: 55880860ec2df9374ed9e05eb7c1f9660e2769407a38999da05ffb99d6c3dc89
Instruction Fuzzy Hash: CF52E273A346A68BF7A59B14C458B7EFBE9EB44340F814139E64A87790DB38D850CB60

Function 00007FF77A80D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF77A80D148
RtlCaptureContext.KERNEL32 ref: 00007FF77A80D175
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF77A80D18F
RtlVirtualUnwind.KERNEL32 ref: 00007FF77A80D1D0
IsDebuggerPresent.KERNEL32 ref: 00007FF77A80D224
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF77A80D241
UnhandledExceptionFilter.KERNEL32 ref: 00007FF77A80D24C

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction ID: 27e3ec722187dbb6ffff40269d775782c6dd89c1a9d8d0fcda75da58f1f44759
Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction Fuzzy Hash: 94310E73629B818AFB619F60E8443BEA3A4FB94744F444079DA4D47BA4DF38D558C710

Function 00007FF77A81A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF77A81A68D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF77A81A6A5
RtlVirtualUnwind.KERNEL32 ref: 00007FF77A81A6E0
IsDebuggerPresent.KERNEL32 ref: 00007FF77A81A719
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF77A81A723
UnhandledExceptionFilter.KERNEL32 ref: 00007FF77A81A72E

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction ID: 5cfb1765ca5ead97e8fd4911cdac09a1f381871e32fe3ea988d44462430bec86
Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction Fuzzy Hash: 38316D37628B8186FB219B24E8442AEF3A4FB88754F900575EA8D47BA4DF38D165CB10

Function 00007FF77A821874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A8218C0
FindFirstFileExW.KERNEL32 ref: 00007FF77A8219CA

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction ID: 36b7af20af19fffcc33395d1ea2878e14f2cc64a702557309f526285b657368e
Opcode Fuzzy Hash: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction Fuzzy Hash: 4EB1B773B3869241FA62AB21D9001B9E3A1EB44BE4FE45175DA5E07BE5EE3CE461C310

Function 00007FF77A80D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF77A80D03C
GetCurrentThreadId.KERNEL32 ref: 00007FF77A80D04A
GetCurrentProcessId.KERNEL32 ref: 00007FF77A80D056
QueryPerformanceCounter.KERNEL32 ref: 00007FF77A80D066

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction ID: 7bd6c389f0e8fc7c56e047b50e2ddf7d29b7e4a26b52671afd247bba14f8efbf
Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction Fuzzy Hash: 30111C22B25B058AFB019B60E8542B9B3A4FB59758F840E31DA6D477A4DF78D1648350

Function 00007FF77A823C10 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF77A823C76
memcpy_s.LIBCPMT ref: 00007FF77A823CA1

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: ebcfecc244ebd40b0fee60d9710a0943f70742f59c86a841e54fdcb71e3c789e
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 8AC1F073B3868687F7259F1AE0446BAF7A1F784B84F848134DB4A43B94DA3DE851CB40

Function 00007FF77A80A474 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

, xrefs: 00007FF77A80A55B
header crc mismatch, xrefs: 00007FF77A80A921
unknown header flags set, xrefs: 00007FF77A80A4C5

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: fcf6ea83c7a46010d3591867e81b0f53761d3f113121264a3729654d2d1b513f
Instruction ID: c6ab58d3bf85051c7fa0502a97b8ec18011f819bc7e628804a6b0602386c5f6d
Opcode Fuzzy Hash: fcf6ea83c7a46010d3591867e81b0f53761d3f113121264a3729654d2d1b513f
Instruction Fuzzy Hash: E0F18273A382C54AF7A6AB14C088B3BFAE9FF44740F4545B8DA494B3A0CB38D561C760

Function 00007FF77A829728 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF77A829977
RaiseException.KERNEL32 ref: 00007FF77A829988

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction ID: e4b34664ce6f94594c1d9290b9221f443145b14f8bd913d17f8f6b257a70a42d
Opcode Fuzzy Hash: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction Fuzzy Hash: D8B17D73A20B898BFB16CF29C846368B7E0F744B58F188961EA5D837B4CB39D461C710

Function 00007FF77A8139A4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF77A813D54
, xrefs: 00007FF77A813B12

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction ID: fab383b1b7292c2c9af91eaa8d9f712b8985a8f56812042cf9c995ca4a948ec0
Opcode Fuzzy Hash: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction Fuzzy Hash: 1CE19373A38A4686FBAEAE25C05013DF760EF45B48F94497DDA0E076B4DF29E861C710

Function 00007FF77A80A2DB Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF77A80A442
incorrect header check, xrefs: 00007FF77A80A45B

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 7e7bac63e97a7e962ac1d8bc37368dc0e110af78d4507200a91f80e7c7b94e68
Instruction ID: 11e28733208b84d6db2f8827d7169a75dde83faab8f7c91f4e2ee809776f6dcc
Opcode Fuzzy Hash: 7e7bac63e97a7e962ac1d8bc37368dc0e110af78d4507200a91f80e7c7b94e68
Instruction Fuzzy Hash: D5919673A382858BF7A69A14C44CB3FFAE9FF44350F514179DA5A467A0DB38E550CB20

Function 00007FF77A81DEF0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF77A81DFFD
gfff, xrefs: 00007FF77A81E07A

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction ID: 41f3fc2edcb4f8a0bc94f79cd28abbb885e7a793db51361d77572fb645804fb5
Opcode Fuzzy Hash: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction Fuzzy Hash: B1515563F382C586F7269E35D800769EB91F744B94F88867ACB984BAE5CE3DD1508710

Function 00007FF77A81DA5C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF77A81DD9E

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: 23773dc46a05d98c0276035dce68ea4ab8324bb52ea284e8370f5aa25e20731f
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: 2DA16763A2A78986FB22DF25E0407A9FB91AB50B84F408875DE4D477A5DE3DE412C710

Function 00007FF77A818794 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF77A8187B3

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction ID: 932915711efb121455d4e5a82b50fadad0db8a2e80541304c3826bebf7cba9a8
Opcode Fuzzy Hash: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction Fuzzy Hash: EF519313F3860241FA66BB26D90217AD290AF44BD5FD848B9DD1E477F6EE3CE4718221

Function 00007FF77A823480 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF77A823484

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction ID: b7f17efb05ee04e793a8184c18e035621e9c38b8b587eb58104888834d25a52d
Opcode Fuzzy Hash: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction Fuzzy Hash: 30B09221E37B02C6FA0A3B21AC86228A3A5BF58701FD801B8C01C40330DF2C20F55720

Function 00007FF77A8135A0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction ID: c6047a7657d98f10bc4efd8a065360fb40f1bfbbdb2115bf48db42c8a28e48a2
Opcode Fuzzy Hash: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction Fuzzy Hash: C8D1E677A3864285FBAEAB25C00023DE3A0EB05B48F940A7DCE0D077A5DF39D865D760

Function 00007FF77A809800 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction ID: 066e29874cac8020e85d2aae64d8bc839ed91b5c25020ab3231c5a542c6d502f
Opcode Fuzzy Hash: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction Fuzzy Hash: FCC19F766281E08BE28AEB29E46947A73E1F78930DBD5406BEF8747785C63CA414D720

Function 00007FF77A812C10 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction ID: 0e20cc84d2b1b982e4de811a9b9ebac8145732bc5509d89d4d1909b58e8510e0
Opcode Fuzzy Hash: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction Fuzzy Hash: 60B1BD73938785C5F766AF28C04063CFBA4E749B48FA409B9CA4E473A5EF29D461C760

Function 00007FF77A81E570 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction ID: 22d8327aa3797ea047f5d9f2b366e4e435be0e536cff009e7fc42c233d5ced28
Opcode Fuzzy Hash: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction Fuzzy Hash: 3881E273A3838186F775DB19E44037AEA91FB45794F804A7ADA8D43BA5DE3CE4608B10

Function 00007FF77A826418 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 21aaab296e2e64a79b20cf98ea2699a9ab0529386423cc159892306e5cd43e00
Instruction ID: a0610ee288829f3eae34e824d3036b253533f8143c18a13993f06311695b30b1
Opcode Fuzzy Hash: 21aaab296e2e64a79b20cf98ea2699a9ab0529386423cc159892306e5cd43e00
Instruction Fuzzy Hash: 7D613933E3C29247F766AA38905063CE680EF40760FD406B9D65E436F5EE7DE8608722

Function 00007FF77A811944 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: baf31729892f9ce06a74060ae724b15167e4cb051752e99d64cc9685251989bc
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 9351A277A3865186F7269B29C040338F7A0EB44B58FA4457DCA8D177B4DB3AE863C750

Function 00007FF77A812164 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 62dbd92c8391858f09637fa3a894a3bd331ec706ea9688a90ce04d42d91b6034
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 17519137A38651C6F7269B29C44022CF3A1EB54B68F644579CA8D077B4EB3AE863C750

Function 00007FF77A811D54 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: ac1a0bc922444f7a7563cb72b215c31e54800d6dd010f86f1de648c109fc21d3
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: CD519137A3865182F7669B29C040628F7A0EB45B68F64497DCE4D177E4CB3AE863C790

Function 00007FF77A811B50 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 37e5c77856ac0fcd6f46d04745943750434f82351c0cf17382bec8ace5608763
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: 9E51A477A3865185F7269B29C080338E7A1EB44B58F64497DCE4C177A4DF3AE8A3C750

Function 00007FF77A811740 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: 17f20f7a49a41b64da77a86eeb7246686870bda16233182a6293de699a89b074
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: D6519637B3865185F7269B29C040238E7A1EB45B58FA4897DCE4C177B8CF3AE862C750

Function 00007FF77A811F60 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 7302e8a18a1e11907dc3af5186d42c17a624bf23152ee4143a5881704e5fb200
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 6151B237A38655C6F7269B29C040238F7A0EB44B58FA44579CE4C177B5EB3AE863C790

Function 00007FF77A815D30 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 8e19b94974724a435c5b1a079840833cfe66fa70b154ca906f5aad6f65447dc7
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 30417363C3974A05F99FA91C8518AB4DA809F127A0DD85FFCDD9D173E3C90D65B6C220

Function 00007FF77A819EA0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction ID: 1da2f1ed1247b5ee131eadbab5e51daec33b2b604f1cec78efaeffeb6451f22f
Opcode Fuzzy Hash: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction Fuzzy Hash: 0141C323B34A5586FF04DF2ADA24269F391BB48FD0B899436EE0D97B64DE3DD0518700

Function 00007FF77A8180E4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction ID: f8172e767fb2796f9c45423da203e0980abd778faef2b728a97fb35953e8db26
Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction Fuzzy Hash: 4931E333B38B4241F766AB21A44113EE6D5AB84B90F94467CEA9D53BE5DF3CD0218714

Function 00007FF77A829570 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction ID: 14096f8706d6a583978f300ac63cc26d9307ee618d2a01a1fac4fe519739cf4d
Opcode Fuzzy Hash: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction Fuzzy Hash: 4CF044737382958AFB999F69B402629B7D0F7083C0F809079E58983A14DA3C90618F14

Function 00007FF77A80D30C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction ID: e9aeb06043411c9bc877a41b5fbc0da2ad17b1264e3c1dcd6383994da203271a
Opcode Fuzzy Hash: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction Fuzzy Hash: 6DA0012293E90AD0F64AAB00A894136E260FB58301BC100B1E00D521B0AE2CA4249220

Function 00007FF77A8076C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF77A8076D7
GetLastError.KERNEL32 ref: 00007FF77A8076E9
GetProcAddress.KERNEL32 ref: 00007FF77A807725
GetLastError.KERNEL32 ref: 00007FF77A807737
GetProcAddress.KERNEL32 ref: 00007FF77A807750
GetLastError.KERNEL32 ref: 00007FF77A807762
GetProcAddress.KERNEL32 ref: 00007FF77A80777B
GetLastError.KERNEL32 ref: 00007FF77A80778D
GetProcAddress.KERNEL32 ref: 00007FF77A8077A9
GetLastError.KERNEL32 ref: 00007FF77A8077BB
GetProcAddress.KERNEL32 ref: 00007FF77A8077D7
GetLastError.KERNEL32 ref: 00007FF77A8077E9
GetProcAddress.KERNEL32 ref: 00007FF77A807805
GetLastError.KERNEL32 ref: 00007FF77A807817
GetProcAddress.KERNEL32 ref: 00007FF77A807833
GetLastError.KERNEL32 ref: 00007FF77A807845
GetProcAddress.KERNEL32 ref: 00007FF77A807861
GetLastError.KERNEL32 ref: 00007FF77A807873

Strings

Tcl_MutexUnlock, xrefs: 00007FF77A8078E1, 00007FF77A807903
Tcl_Free, xrefs: 00007FF77A807C4B, 00007FF77A807C6D
Tcl_ThreadQueueEvent, xrefs: 00007FF77A8079C7, 00007FF77A8079E9
Tcl_NewByteArrayObj, xrefs: 00007FF77A807B09, 00007FF77A807B2B
Tcl_SetVar2, xrefs: 00007FF77A807A51, 00007FF77A807A73
Tcl_ConditionFinalize, xrefs: 00007FF77A80793D, 00007FF77A80795F
Tcl_CreateThread, xrefs: 00007FF77A807829, 00007FF77A80784B
Tcl_CreateObjCommand, xrefs: 00007FF77A807A7F, 00007FF77A807AA1
Tcl_JoinThread, xrefs: 00007FF77A807885, 00007FF77A8078A7
Tcl_Alloc, xrefs: 00007FF77A807C1D, 00007FF77A807C3F
GetProcAddress, xrefs: 00007FF77A8076FF
Tcl_NewStringObj, xrefs: 00007FF77A807ADB, 00007FF77A807AFD
Tk_GetNumMainWindows, xrefs: 00007FF77A807CA7, 00007FF77A807CC9
Tk_Init, xrefs: 00007FF77A807C79, 00007FF77A807C9B
Tcl_DeleteInterp, xrefs: 00007FF77A8077FB, 00007FF77A80781D
Tcl_Init, xrefs: 00007FF77A8076D0, 00007FF77A8076EF
Tcl_DoOneEvent, xrefs: 00007FF77A807771, 00007FF77A807793
Tcl_FindExecutable, xrefs: 00007FF77A807746, 00007FF77A807768
Tcl_GetObjResult, xrefs: 00007FF77A807B65, 00007FF77A807B87
Tcl_EvalObjv, xrefs: 00007FF77A807BEF, 00007FF77A807C11
Tcl_EvalEx, xrefs: 00007FF77A807BC1, 00007FF77A807BE3
Tcl_ConditionWait, xrefs: 00007FF77A807999, 00007FF77A8079BB
Tcl_GetString, xrefs: 00007FF77A807AAD, 00007FF77A807ACF
Tcl_ConditionNotify, xrefs: 00007FF77A80796B, 00007FF77A80798D
Tcl_FinalizeThread, xrefs: 00007FF77A8077CD, 00007FF77A8077EF
Failed to get address for %hs, xrefs: 00007FF77A8076F8
Tcl_GetVar2, xrefs: 00007FF77A807A23, 00007FF77A807A45
Tcl_MutexLock, xrefs: 00007FF77A8078B3, 00007FF77A8078D5
Tcl_SetVar2Ex, xrefs: 00007FF77A807B37, 00007FF77A807B59
Tcl_MutexFinalize, xrefs: 00007FF77A80790F, 00007FF77A807931
Tcl_ThreadAlert, xrefs: 00007FF77A8079F5, 00007FF77A807A17
Tcl_Finalize, xrefs: 00007FF77A80779F, 00007FF77A8077C1
Tcl_CreateInterp, xrefs: 00007FF77A80771B, 00007FF77A80773D
Tcl_GetCurrentThread, xrefs: 00007FF77A807857, 00007FF77A807879
Tcl_EvalFile, xrefs: 00007FF77A807B93, 00007FF77A807BB5

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction ID: 67af84194a504472bbfa8e29cc983eb79c359a95526d79060e135725aa4c45cf
Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction Fuzzy Hash: C802A823D3AF0791FA17BB55A8186B5E7A1BF08745BD450B1C82E023F0EF3CB5698620

Function 00007FF77A8081D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77A809390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF77A8045F4,00000000,00007FF77A801985), ref: 00007FF77A8093C9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF77A8086B7,?,?,00000000,00007FF77A803CBB), ref: 00007FF77A80822C

Part of subcall function 00007FF77A802810: MessageBoxW.USER32 ref: 00007FF77A8028EA

Strings

CreateDirectory, xrefs: 00007FF77A80837C
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF77A808373
\, xrefs: 00007FF77A808261
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF77A808203
%.*s, xrefs: 00007FF77A80830C
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF77A80829D
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF77A808240
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF77A8082D9

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction ID: f4b9ac7547eb1e037cea33002a0a73150e9e28b8be31e54166cf4f8f28cc2e1f
Opcode Fuzzy Hash: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction Fuzzy Hash: 3B51A523A3AA4285FA53FB24D8552BBF2D0EF94780FC44471DA4E426F5EE3CE4648760

Function 00007FF77A802180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF77A8021AB
SelectObject.GDI32 ref: 00007FF77A8021F2
DrawTextW.USER32 ref: 00007FF77A802215
SelectObject.GDI32 ref: 00007FF77A80222B
ReleaseDC.USER32 ref: 00007FF77A80223B
MoveWindow.USER32 ref: 00007FF77A80228B
MoveWindow.USER32 ref: 00007FF77A8022CB
MoveWindow.USER32 ref: 00007FF77A80231E
MoveWindow.USER32 ref: 00007FF77A802366

Strings

P%, xrefs: 00007FF77A8021FF

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: ca09c9b76f70415b535db95390a1cf56cbe5a7bb6ac22a0f2f428edd5025adf5
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 3C51E626624BA186E6349F26E4581BAF7A1F798B61F004131EFDE43794DF3CE055DB20

Function 00007FF77A8080C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF77A8080FF
GetWindowLongPtrW.USER32 ref: 00007FF77A80817F
ShutdownBlockReasonCreate.USER32 ref: 00007FF77A808192
GetLastError.KERNEL32 ref: 00007FF77A80819C
SetWindowLongPtrW.USER32 ref: 00007FF77A8081B3

Strings

Needs to remove its temporary files., xrefs: 00007FF77A808185

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction ID: 112a4c5e6db8df9036d9689dd3d43e7edb211ddb22bc49cb11470f6c6e3ef079
Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction Fuzzy Hash: 7A218823B39A4281F7536B79A848179E290FF98B91F984171DA5D433F4DE2CD5A18320

Function 00007FF77A816290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A8162D3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A8166C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A81695C

Strings

p, xrefs: 00007FF77A8163FD
f, xrefs: 00007FF77A8163F5
p, xrefs: 00007FF77A816385
:, xrefs: 00007FF77A81648C
-, xrefs: 00007FF77A816369

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 63d07945d720848d258a3866991d7372c2bee884b8b3aca8a90c2bd3564db91e
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 3312B273E3C24386FB227B14E104679F692FB50750FC84979D6C9466E4EB3CE5A08B22

Function 00007FF77A810FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A811008
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A8113D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A81166F

Strings

f, xrefs: 00007FF77A8110A0
f, xrefs: 00007FF77A81110A
p, xrefs: 00007FF77A8110AD
f, xrefs: 00007FF77A811255
p, xrefs: 00007FF77A811112

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: e762223614b3a288c67627e2326993643f3478bada1391c610d9d2cfcb69fab5
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 4C12A673E3C54386FB227A14E0446B9F6A5FB40754FC4497DD68A46AE8DF3CE5A08B20

Function 00007FF77A801050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF77A8011F6
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF77A801108
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF77A8010CC
Failed to extract %s: failed to open archive file!, xrefs: 00007FF77A801098
fread, xrefs: 00007FF77A8011FD
fseek, xrefs: 00007FF77A8010D3
malloc, xrefs: 00007FF77A80110F

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 44d3663ac886a74f27bf0299a60bdb2a17e78e9504a320c07c927e36cc87db77
Instruction ID: 83bc8614639c0fe5c1aec9b677f012284d0f9418aca95d47dae9997cd8f1a47f
Opcode Fuzzy Hash: 44d3663ac886a74f27bf0299a60bdb2a17e78e9504a320c07c927e36cc87db77
Instruction Fuzzy Hash: 7341B263A3825286FA06FB11A8045BAE3D0BF54BD0FC444B1ED4C077A6EE3CE5618360

Function 00007FF77A801470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF77A8015DF
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF77A801518
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF77A8014DE
Failed to extract %s: failed to open archive file!, xrefs: 00007FF77A80149F
fread, xrefs: 00007FF77A8015E6
fseek, xrefs: 00007FF77A8014E5
malloc, xrefs: 00007FF77A80151F

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: ba66df6895bd2fe50a7fbf599ddcec943e173133a1bf7a4519d7db8308d256bf
Instruction ID: c8a36b70edf9c3480e1ab9499f0d9e461a1373b983bc50ceda3d31758a93bac2
Opcode Fuzzy Hash: ba66df6895bd2fe50a7fbf599ddcec943e173133a1bf7a4519d7db8308d256bf
Instruction Fuzzy Hash: 48417F33A3864286FA12EB21D4405BAE390BF44794FC44872ED4D4BBB5EE3CE5618720

Function 00007FF77A80EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF77A80EA65

Part of subcall function 00007FF77A80F9BC: __GetUnwindTryBlock.LIBCMT ref: 00007FF77A80F9FF
Part of subcall function 00007FF77A80F9BC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF77A80FA24

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF77A80EB3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF77A80ED8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF77A80EE98

Strings

csm, xrefs: 00007FF77A80EA7F
csm, xrefs: 00007FF77A80EB60
csm, xrefs: 00007FF77A80EAE6

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction ID: 8e5577a2a8aa4e1f06b8c93b1fc5eb621fa6396d6f9be07cb5b031e54f0a389d
Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction Fuzzy Hash: 71D16E63928649C6FB21AB2594403AFEBE0FB45788F900176DE8D57BA5DF38E4A0C710

Function 00007FF77A81ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF77A81F0AA,?,?,00000254DA846C28,00007FF77A81AD53,?,?,?,00007FF77A81AC4A,?,?,?,00007FF77A815F3E), ref: 00007FF77A81EE8C
GetProcAddress.KERNEL32(?,?,?,00007FF77A81F0AA,?,?,00000254DA846C28,00007FF77A81AD53,?,?,?,00007FF77A81AC4A,?,?,?,00007FF77A815F3E), ref: 00007FF77A81EE98

Strings

api-ms-, xrefs: 00007FF77A81EDD6
ext-ms-, xrefs: 00007FF77A81EDE9

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction ID: 5e54a7727577948ddb4de5f4eb521bb284217d79c5d343237bbd9847e7987e9f
Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction Fuzzy Hash: F841C563B3961282FA17BB16D804A75E291BF48B90FC8497ADD1D477A4DF3CE4658220

Function 00007FF77A802C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF77A803706,?,00007FF77A803804), ref: 00007FF77A802C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF77A803706,?,00007FF77A803804), ref: 00007FF77A802D63
MessageBoxW.USER32 ref: 00007FF77A802D99

Strings

<FormatMessageW failed.>, xrefs: 00007FF77A802D70
Error, xrefs: 00007FF77A802D8C
[PYI-%d:ERROR] , xrefs: 00007FF77A802CA6
%ls: , xrefs: 00007FF77A802D22

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction ID: 2676948463050b667b6cb267edfb9cee4a7685499ae9190571b7f3d4d3e7f1e2
Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction Fuzzy Hash: 0A310733B28B4042F622BB25A8142BBE691BF88798F800135EF4D537A8EF3CD556C310

Function 00007FF77A80DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF77A80DF7A,?,?,?,00007FF77A80DC6C,?,?,?,00007FF77A80D869), ref: 00007FF77A80DD4D
GetLastError.KERNEL32(?,?,?,00007FF77A80DF7A,?,?,?,00007FF77A80DC6C,?,?,?,00007FF77A80D869), ref: 00007FF77A80DD5B
LoadLibraryExW.KERNEL32(?,?,?,00007FF77A80DF7A,?,?,?,00007FF77A80DC6C,?,?,?,00007FF77A80D869), ref: 00007FF77A80DD85
FreeLibrary.KERNEL32(?,?,?,00007FF77A80DF7A,?,?,?,00007FF77A80DC6C,?,?,?,00007FF77A80D869), ref: 00007FF77A80DDF3
GetProcAddress.KERNEL32(?,?,?,00007FF77A80DF7A,?,?,?,00007FF77A80DC6C,?,?,?,00007FF77A80D869), ref: 00007FF77A80DDFF

Strings

api-ms-, xrefs: 00007FF77A80DD6D

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction ID: 05a1ebd7eeafa21e294df922ad1c9654e5e0ef13c5475d1b2f91dbc1be739de4
Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction Fuzzy Hash: FF317023B3B64292FE13AB06A4006B6E7D4FF48BA4FD94575DD2D063A0DF3CE4648224

Function 00007FF77A806360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Failed to load Python DLL '%ls'., xrefs: 00007FF77A8064A7
ucrtbase.dll, xrefs: 00007FF77A8063DD
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF77A806407
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF77A8063C7
LoadLibrary, xrefs: 00007FF77A8064AE
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF77A806456

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
Instruction ID: 44e164f40271806adb526a05ae2708986a0d0e080897f4393b1e23e37962790b
Opcode Fuzzy Hash: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
Instruction Fuzzy Hash: 49416F62A38A8691FA26FB24E4141FAE391FF44350FC00172EA5C436E5EF7CE569C760

Function 00007FF77A802A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF77A80351A,?,00000000,00007FF77A803F23), ref: 00007FF77A802AA0

Strings

WARNING, xrefs: 00007FF77A802AAF
0, xrefs: 00007FF77A802B16
Warning, xrefs: 00007FF77A802B1E
Warning [ANSI Fallback], xrefs: 00007FF77A802B0F
[PYI-%d:%s] , xrefs: 00007FF77A802AA8

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction ID: f4ab47b4a6f7cd05797ef62dcc2307319bb65760b184d9fd12fe83b841aaaa02
Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction Fuzzy Hash: 34217173A39B8142F621AB55F4417E6E294BB88784F800176FE8C43769EF7CD1558750

Function 00007FF77A81B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF77A81B15F
FlsGetValue.KERNEL32 ref: 00007FF77A81B174
FlsSetValue.KERNEL32 ref: 00007FF77A81B195
FlsSetValue.KERNEL32 ref: 00007FF77A81B1C2
FlsSetValue.KERNEL32 ref: 00007FF77A81B1D3
FlsSetValue.KERNEL32 ref: 00007FF77A81B1E4
SetLastError.KERNEL32 ref: 00007FF77A81B1FF

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction ID: 6d2d9c5ce27e4f3cafc223f2c170a26c28c0a45365ac19039489640d6b1edece
Opcode Fuzzy Hash: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction Fuzzy Hash: 0C213D23E3C64281F657B321E65913DE2825F447B0F854ABDD9BE477E6DE2CA8608320

Function 00007FF77A827D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF77A827D9D
GetLastError.KERNEL32 ref: 00007FF77A827DA9
CloseHandle.KERNEL32 ref: 00007FF77A827DC1
CreateFileW.KERNEL32 ref: 00007FF77A827DEC
WriteConsoleW.KERNEL32 ref: 00007FF77A827E0B

Strings

CONOUT$, xrefs: 00007FF77A827DCD

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction ID: dad8bb42d620ee122194c21177f869e8ed6e56c30055372348528d27627ce7e5
Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction Fuzzy Hash: F2117222A38A4186F751AB52E858339E2A0FB88BE4F444275E95D877E4DF3CD8248750

Function 00007FF77A808ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF77A803FB1), ref: 00007FF77A808EFD
K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF77A803FB1), ref: 00007FF77A808F5A

Part of subcall function 00007FF77A809390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF77A8045F4,00000000,00007FF77A801985), ref: 00007FF77A8093C9

K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF77A803FB1), ref: 00007FF77A808FE5
K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF77A803FB1), ref: 00007FF77A809044
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF77A803FB1), ref: 00007FF77A809055
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF77A803FB1), ref: 00007FF77A80906A

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
Instruction ID: d7cb9745938cac3593ce61bee09abcfe6308892c681bc1b42a1d9e1c24147d55
Opcode Fuzzy Hash: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
Instruction Fuzzy Hash: 24418463A3968281FA31AB52A5002BBF3D4FB85B84F854175EF8D577A9DE3CD510C720

Function 00007FF77A81B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF77A814F11,?,?,?,?,00007FF77A81A48A,?,?,?,?,00007FF77A81718F), ref: 00007FF77A81B2D7
FlsSetValue.KERNEL32(?,?,?,00007FF77A814F11,?,?,?,?,00007FF77A81A48A,?,?,?,?,00007FF77A81718F), ref: 00007FF77A81B30D
FlsSetValue.KERNEL32(?,?,?,00007FF77A814F11,?,?,?,?,00007FF77A81A48A,?,?,?,?,00007FF77A81718F), ref: 00007FF77A81B33A
FlsSetValue.KERNEL32(?,?,?,00007FF77A814F11,?,?,?,?,00007FF77A81A48A,?,?,?,?,00007FF77A81718F), ref: 00007FF77A81B34B
FlsSetValue.KERNEL32(?,?,?,00007FF77A814F11,?,?,?,?,00007FF77A81A48A,?,?,?,?,00007FF77A81718F), ref: 00007FF77A81B35C
SetLastError.KERNEL32(?,?,?,00007FF77A814F11,?,?,?,?,00007FF77A81A48A,?,?,?,?,00007FF77A81718F), ref: 00007FF77A81B377

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction ID: 2cbc5cd9b7b65e4f82d9fbfe062ff2521a93561da62de4b396e528e3bfba3d32
Opcode Fuzzy Hash: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction Fuzzy Hash: 37114F23E3C64282F657B721E65513DE1829F44BB0F844BB9D96E477F6DE2CA8718320

Function 00007FF77A802910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF77A801B6A), ref: 00007FF77A80295E

Strings

%s: %s, xrefs: 00007FF77A8029E8
Error [ANSI Fallback], xrefs: 00007FF77A8029FF
[PYI-%d:ERROR] , xrefs: 00007FF77A802966
Error, xrefs: 00007FF77A802A0E

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction ID: 01908a89d7fac2bec9e7fd95e7f584433926ded3e21171afe761421801f8c15b
Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction Fuzzy Hash: C431D363B3968152F712A765A8406E7E2D4BF887D4F800136FE8D837A9EF7CD1668610

Function 00007FF77A802390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF77A8023C8
DialogBoxIndirectParamW.USER32 ref: 00007FF77A80248E
DeleteObject.GDI32 ref: 00007FF77A8024C1
DestroyIcon.USER32 ref: 00007FF77A8024D3

Strings

Unhandled exception in script, xrefs: 00007FF77A8023F8

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction ID: 688935ff31453ce44f9e4a1583ed6c982653acbf11831d0f174f99f5e2f82c8f
Opcode Fuzzy Hash: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction Fuzzy Hash: 8D313273A39A8189F721AB21E8552FAE390FF88784F840175EA4D47BA9DF3CD155C710

Function 00007FF77A802B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF77A80918F,?,00007FF77A803C55), ref: 00007FF77A802BA0
MessageBoxW.USER32 ref: 00007FF77A802C2A

Strings

[PYI-%d:%ls] , xrefs: 00007FF77A802BA8
Warning, xrefs: 00007FF77A802C1D
WARNING, xrefs: 00007FF77A802BAF

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction ID: e89a70e00a03aa4f59146d8db78bd7826884ae538e1c36cc501c9edd31434b7d
Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction Fuzzy Hash: 8F219163B29B4182F712AB54F4847EAE3A4FB88784F800136EA8D57765EE3CD265C750

Function 00007FF77A802710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF77A801B99), ref: 00007FF77A802760

Strings

Error [ANSI Fallback], xrefs: 00007FF77A8027CF
[PYI-%d:%s] , xrefs: 00007FF77A802768
Error, xrefs: 00007FF77A8027DE
ERROR, xrefs: 00007FF77A80276F

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction ID: e8079c21a43027e173169815bdb86ffd670f15a003c344c9d298d9c51d938d99
Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction Fuzzy Hash: 98217F73A39B8182F721AB50F8817E6E694BB88384F800176FA8C43769EF7CD1558750

Function 00007FF77A819A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF77A819AAD
GetProcAddress.KERNEL32 ref: 00007FF77A819AC3
FreeLibrary.KERNEL32 ref: 00007FF77A819AEA

Strings

CorExitProcess, xrefs: 00007FF77A819ABC
mscoree.dll, xrefs: 00007FF77A819AA4

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction ID: bbe07d71b9782377279d4d327c53200ca552936d58143ad1a720cdb1dcdcaf7d
Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction Fuzzy Hash: 73F06863B3970681FA11AB14E448779E360FF49761F940679D56E462F4DF2CE458C360

Function 00007FF77A829368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF77A829390
_set_statfp.LIBCMT ref: 00007FF77A8293AB
_set_statfp.LIBCMT ref: 00007FF77A8293C7
_set_statfp.LIBCMT ref: 00007FF77A829403

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 14f9a9e4dbcc328fa910a6b5176d00d3df4058ff97e41ee867ae36eddbd399e1
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 7F119833D7CA0342F6763155E499379F050AF59370EC416B4FA6F163F6CE6D64614120

Function 00007FF77A81B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF77A81A5A3,?,?,00000000,00007FF77A81A83E,?,?,?,?,?,00007FF77A81A7CA), ref: 00007FF77A81B3AF
FlsSetValue.KERNEL32(?,?,?,00007FF77A81A5A3,?,?,00000000,00007FF77A81A83E,?,?,?,?,?,00007FF77A81A7CA), ref: 00007FF77A81B3CE
FlsSetValue.KERNEL32(?,?,?,00007FF77A81A5A3,?,?,00000000,00007FF77A81A83E,?,?,?,?,?,00007FF77A81A7CA), ref: 00007FF77A81B3F6
FlsSetValue.KERNEL32(?,?,?,00007FF77A81A5A3,?,?,00000000,00007FF77A81A83E,?,?,?,?,?,00007FF77A81A7CA), ref: 00007FF77A81B407
FlsSetValue.KERNEL32(?,?,?,00007FF77A81A5A3,?,?,00000000,00007FF77A81A83E,?,?,?,?,?,00007FF77A81A7CA), ref: 00007FF77A81B418

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction ID: 9d0b5ffa6f1f13b05a1b5c3c04802543685edaf952cb0888c61e66971e581e52
Opcode Fuzzy Hash: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction Fuzzy Hash: 15117223F3864281FA56B325E54517EE1815F447B0FC88BBDD97D467F6DE2CAC618220

Function 00007FF77A81B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF77A81B235
FlsSetValue.KERNEL32 ref: 00007FF77A81B254
FlsSetValue.KERNEL32 ref: 00007FF77A81B27C
FlsSetValue.KERNEL32 ref: 00007FF77A81B28D
FlsSetValue.KERNEL32 ref: 00007FF77A81B29E

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction ID: d4cc103c838d461ef0f342b017e27bfdd7fc76851ed0de283493865aadc33bbb
Opcode Fuzzy Hash: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction Fuzzy Hash: E4111822E3820781F95BB261D55517EE1824F46730F884FBDDA7E4A7F2DE2CB8645231

Function 00007FF77A815FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A815FDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A816106
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A8161BC

Strings

verbose, xrefs: 00007FF77A815FB0

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: ecfe3a3856df57126faa6525eafc2820fe411d3ac6a5a7c3819fc03d1abe20dc
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: D491E123A3864681F722AE24D45077DF791AB40B94FC4497ADADE473E6DF3CE4258322

Function 00007FF77A81FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A81FEA7

Part of subcall function 00007FF77A817A3C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77A817A59

Strings

UTF-8, xrefs: 00007FF77A81FE26
ccs, xrefs: 00007FF77A81FDE2
UTF-16LEUNICODE, xrefs: 00007FF77A81FE45

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction ID: 00bf4434e0691df4b57da147652667d4113dc7ced91437db9cc9ca72b578f383
Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction Fuzzy Hash: 9481B173D3860385F7667E29C100278EAA0AB11B44FD54CBECB09872A5CB2CEC22D721

Function 00007FF77A80D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF77A80D673
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF77A80D70A
RtlUnwindEx.KERNEL32 ref: 00007FF77A80D764

Strings

csm, xrefs: 00007FF77A80D6F1

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction ID: 5f2ec0f38f3cc01f8a0a843351e1b72741ba6144b9e5509d2cbf59be853d80dc
Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction Fuzzy Hash: 50519033A3A6028AFB16AB15E44477AF7D1EB44B98F908170EA4D477A4DF7CE861C710

Function 00007FF77A80F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF77A80F2B0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF77A80F398

Strings

csm, xrefs: 00007FF77A80F2D2
csm, xrefs: 00007FF77A80F3EA

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction ID: ac1ec3f299f1975f57ffad430590d257ea16ed4fd7ab263863551eb6c33d66c0
Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction Fuzzy Hash: B8518033A3874286FB65AA21908426AF7D0FB55B94F94C176DA4C47BA5CF3CE860C711

Function 00007FF77A80EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF77A80EF37
_CallSETranslator.LIBVCRUNTIME ref: 00007FF77A80EF83

Strings

MOC, xrefs: 00007FF77A80EF4B
RCC, xrefs: 00007FF77A80EF53

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction ID: cfe74e6192e56ae773f6cd5324398daf986076192b6dbc175b40d7ea414dacce
Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction Fuzzy Hash: 77618133928B8585F762AB25E4403AAF7A0FB94784F448275EB9C03765DF7CD5A0CB10

Function 00007FF77A802810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF77A8028EA

Strings

[PYI-%d:%ls] , xrefs: 00007FF77A802868
Error, xrefs: 00007FF77A8028DD
ERROR, xrefs: 00007FF77A80286F

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction ID: 259cb3d327e1448515ce163070d2171ecf2a187b33e0e7043b3e068583168b2d
Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction Fuzzy Hash: 9E219173B29B4182F712AB54F4447EAE3A4FB88780F800176EA8D57765EE3CD265C750

Function 00007FF77A81C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF77A81C61F
WriteFile.KERNEL32 ref: 00007FF77A81C8E7
WriteFile.KERNEL32 ref: 00007FF77A81C92D
GetLastError.KERNEL32 ref: 00007FF77A81C9E3

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction ID: 9a00fa278523870194e95e92709ec6bf2c45725987ddfe9c6b1d2f2c834d12ad
Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction Fuzzy Hash: 41D127B3B38A4189F712DF65C4402ACB7B1FB54798B804579DE5E97BA5DE38D026C310

Function 00007FF77A8020C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF77A8020F4
SetWindowLongPtrW.USER32 ref: 00007FF77A802116
GetWindowLongPtrW.USER32 ref: 00007FF77A802140
InvalidateRect.USER32 ref: 00007FF77A802160

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 8304c73b7791e8ec30470b715f94cb825763324339d8a875f7d625ca5b69910d
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 6611E922F3C14242F756A769E58827BD2D1FF98780FC44070DB4907BA9DD6DE8E58210

Function 00007FF77A825B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77A821760: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77A821793

_get_daylight.LIBCMT ref: 00007FF77A825C34
_get_daylight.LIBCMT ref: 00007FF77A825C45

Strings

?, xrefs: 00007FF77A825BC5

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction ID: 66da3493e7448c40359821881fe078d0d984647ba89f2db238b3f2a2f72e072f
Opcode Fuzzy Hash: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction Fuzzy Hash: 14412923A3828246FB6AAB25D54137AE750EB80BA4F944375EE5C07AF5EF3CD4618710

Function 00007FF77A819014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A819046

Part of subcall function 00007FF77A81A948: RtlFreeHeap.NTDLL(?,?,?,00007FF77A822D22,?,?,?,00007FF77A822D5F,?,?,00000000,00007FF77A823225,?,?,?,00007FF77A823157), ref: 00007FF77A81A95E
Part of subcall function 00007FF77A81A948: GetLastError.KERNEL32(?,?,?,00007FF77A822D22,?,?,?,00007FF77A822D5F,?,?,00000000,00007FF77A823225,?,?,?,00007FF77A823157), ref: 00007FF77A81A968

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF77A80CBA5), ref: 00007FF77A819064

Strings

C:\Users\user\Desktop\Creal.exe, xrefs: 00007FF77A819052

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\Creal.exe
API String ID: 3580290477-438047805
Opcode ID: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction ID: 0f301b907766b0887904052c614d2adbcfb34524986fbc5157c75ebfbc88c588
Opcode Fuzzy Hash: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction Fuzzy Hash: 70418E33A38A0285FB16BF25D8400BCF795EB44B90B954479E94E47BA5DE3CE4A1C320

Function 00007FF77A81CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF77A81CD4F
GetLastError.KERNEL32 ref: 00007FF77A81CD71

Strings

U, xrefs: 00007FF77A81CCFB

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction ID: 0e40abe378b551f885525d267dd3022cc14dc35f33e23615a71554cc995be416
Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction Fuzzy Hash: F041A263A38A4185FB619F25E4443AAE7A1FB88784F804535EE4D877A4EF3CD421CB50

Function 00007FF77A81F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF77A81F5F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF77A81F64A

Strings

:, xrefs: 00007FF77A81F60E

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction ID: c803283908adb970090928a322e0051aa899a28ab471905e88a0515cdf876d6d
Opcode Fuzzy Hash: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction Fuzzy Hash: 3521D173A3864181FB22AB11D04427DE3A1FB88B44FC5457ED64D436A4DF7CE9658A60

Function 00007FF77A80FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF77A80FD98
RaiseException.KERNEL32 ref: 00007FF77A80FDD9

Strings

csm, xrefs: 00007FF77A80FDC6

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction ID: d405c4b59d5d1e38efd6c8a0958d87e933954eec16f919073ef051428c8f2c98
Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction Fuzzy Hash: EF11FC23629B4182FB529B15E44426AF6E5FB88B84F584270DE8D07768DF3CD961C700

Function 00007FF77A82073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A82076C
GetDriveTypeW.KERNEL32 ref: 00007FF77A8207AC

Strings

:, xrefs: 00007FF77A820795

Memory Dump Source

Source File: 00000000.00000002.3272388428.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000000.00000002.3272361719.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272472150.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272513818.00007FF77A842000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3272597901.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff77a800000_Creal.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction ID: 79958e714eb0358f6f944f354c41540e8f0168ad81df23ccbec63adf7c562b6d
Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction Fuzzy Hash: 5901D46393820285F722BF60D46127EE3A0EF48344FC40475D55C426F1EE2CD8208B24

Analysis Process: Creal.exePID: 6572, Parent PID: 3964COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.7%
Total number of Nodes:	1179
Total number of Limit Nodes:	72

Executed Functions

Function 00007FF8A92D1A0F Relevance: 144.4, APIs: 74, Strings: 8, Instructions: 858COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A931ACE7
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A931ACFF
ERR_new.LIBCRYPTO-3 ref: 00007FF8A931AE96
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A931AEAE
EVP_CIPHER_CTX_get0_cipher.LIBCRYPTO-3 ref: 00007FF8A931AF96
EVP_CIPHER_get_flags.LIBCRYPTO-3 ref: 00007FF8A931AF9E
ERR_new.LIBCRYPTO-3 ref: 00007FF8A931B00C
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A931B024
ERR_new.LIBCRYPTO-3 ref: 00007FF8A931B191
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A931B1A9
ERR_new.LIBCRYPTO-3 ref: 00007FF8A931B1DA
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A931B1F2
EVP_MD_CTX_get0_md.LIBCRYPTO-3 ref: 00007FF8A931B213
EVP_MD_get_size.LIBCRYPTO-3 ref: 00007FF8A931B220
CRYPTO_memcmp.LIBCRYPTO-3 ref: 00007FF8A931B2AA
ERR_set_mark.LIBCRYPTO-3 ref: 00007FF8A931B2C6
ERR_clear_last_mark.LIBCRYPTO-3 ref: 00007FF8A931B315
ERR_new.LIBCRYPTO-3 ref: 00007FF8A931B31F
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A931B337
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A931B496
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A931B4B5
ERR_new.LIBCRYPTO-3 ref: 00007FF8A931BA16
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A931BA2E
ERR_new.LIBCRYPTO-3 ref: 00007FF8A931BA40
ERR_new.LIBCRYPTO-3 ref: 00007FF8A931BA4C
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A931BA64

Strings

PUT , xrefs: 00007FF8A931B943
HEAD , xrefs: 00007FF8A931B929
GET , xrefs: 00007FF8A931B8E8
ssl3_get_record, xrefs: 00007FF8A931ACF1, 00007FF8A931AEA0, 00007FF8A931B016, 00007FF8A931B064, 00007FF8A931B094, 00007FF8A931B0BC, 00007FF8A931B0E9, 00007FF8A931B196, 00007FF8A931B1DF, 00007FF8A931B324, 00007FF8A931B34C, 00007FF8A931B3B8, 00007FF8A931B439, 00007FF8A931B593, 00007FF8A931B743, 00007FF8A931B7C2, 00007FF8A931B7EF, 00007FF8A931B821, 00007FF8A931B855, 00007FF8A931B887, 00007FF8A931B973, 00007FF8A931B9AD, 00007FF8A931BA20, 00007FF8A931BA51
CONNE, xrefs: 00007FF8A931B95A
..\s\ssl\record\ssl3_record.c, xrefs: 00007FF8A931ACF8, 00007FF8A931AEA7, 00007FF8A931B01D, 00007FF8A931B06B, 00007FF8A931B09B, 00007FF8A931B0C8, 00007FF8A931B0F5, 00007FF8A931B1A2, 00007FF8A931B1EB, 00007FF8A931B330, 00007FF8A931B358, 00007FF8A931B38F, 00007FF8A931B3C4, 00007FF8A931B445, 00007FF8A931B489, 00007FF8A931B4AB, 00007FF8A931B74F, 00007FF8A931B7CE, 00007FF8A931B7FB, 00007FF8A931B828, 00007FF8A931B861, 00007FF8A931B88E, 00007FF8A931B97F, 00007FF8A931B9B9, 00007FF8A931BA27, 00007FF8A931BA5D
POST , xrefs: 00007FF8A931B90B
, xrefs: 00007FF8A931B187

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_new$R_set_debug$O_free$D_get_sizeO_memcmpR_clear_last_markR_get_flagsR_set_markX_get0_cipherX_get0_md
String ID: $..\s\ssl\record\ssl3_record.c$CONNE$GET $HEAD $POST $PUT $ssl3_get_record
API String ID: 2283737721-2781224710
Opcode ID: 40243567b0c9e5d0b1d25a9c0806e483eb2da45cb6c3cb4bcf6ca79101e842da
Instruction ID: 2eb24045a7d9ce66cc1eef5ace54aa878e430422fd0dfe1a543049dd788ccc79
Opcode Fuzzy Hash: 40243567b0c9e5d0b1d25a9c0806e483eb2da45cb6c3cb4bcf6ca79101e842da
Instruction Fuzzy Hash: 31828E31A0EEC2A1FB649F21D8403BA62B1EF857C4F646036DA4DC76A9EF3CE5458711

Function 00007FF77A801000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Py_GIL_DISABLED, xrefs: 00007FF77A803AF4
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF77A803A0B, 00007FF77A803CD4, 00007FF77A803F6B
_PYI_ARCHIVE_FILE, xrefs: 00007FF77A8038D2, 00007FF77A8039FF
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF77A803EA6
MEI, xrefs: 00007FF77A803933
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF77A8039DE
Failed to load splash screen resources!, xrefs: 00007FF77A803E85
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF77A803E0A
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF77A803EBB
pyi-runtime-tmpdir, xrefs: 00007FF77A803B68
VCRUNTIME140.dll, xrefs: 00007FF77A803DB1
pyi-python-flag, xrefs: 00007FF77A803AD6
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF77A803D35
Failed to remove temporary directory: %s, xrefs: 00007FF77A803FCF
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF77A803D12
Failed to convert DLL search path!, xrefs: 00007FF77A803DDC
pkg, xrefs: 00007FF77A8039BE
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF77A803C61
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF77A803A17, 00007FF77A803A2F, 00007FF77A803A9B
_PYI_SPLASH_IPC, xrefs: 00007FF77A803A23, 00007FF77A803EF5
pyi-disable-windowed-traceback, xrefs: 00007FF77A803BB2
Failed to start splash screen!, xrefs: 00007FF77A803ED4
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF77A803971
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF77A803BE8
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF77A803B32
Could not create temporary directory!, xrefs: 00007FF77A803CBF
pyi-contents-directory, xrefs: 00007FF77A803B8D
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF77A803882, 00007FF77A8038AF

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: 233ec7f25ec1ed803ce179537cd482b57a2e4efc6b2dbb8e538fcab84ef42543
Instruction ID: c9b8a401d84b71e2fcb48cc5b43b39384e40f64dec1ff4a864cff88abcc38a76
Opcode Fuzzy Hash: 233ec7f25ec1ed803ce179537cd482b57a2e4efc6b2dbb8e538fcab84ef42543
Instruction Fuzzy Hash: CF328D63A38A8291FB1BB725D5552BAE6D1EF44780FC440B6DA4D422F6EF2CE574C320

Function 00007FF8A82792B0 Relevance: 14.0, APIs: 6, Strings: 3, Instructions: 513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FF8A827937F
memset.VCRUNTIME140 ref: 00007FF8A82793F7
memcpy.VCRUNTIME140 ref: 00007FF8A827945E
memcpy.VCRUNTIME140 ref: 00007FF8A8279480
memcpy.VCRUNTIME140 ref: 00007FF8A827963E
memcpy.VCRUNTIME140 ref: 00007FF8A8279667

Strings

immutable, xrefs: 00007FF8A82797FD
-journal, xrefs: 00007FF8A8279646
nolock, xrefs: 00007FF8A82797C5

Memory Dump Source

Source File: 00000002.00000002.3277207698.00007FF8A8261000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FF8A8260000, based on PE: true

Associated: 00000002.00000002.3277178249.00007FF8A8260000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.3277331741.00007FF8A8394000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.3277382731.00007FF8A83C3000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.3277410291.00007FF8A83C8000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8260000_Creal.jbxd

Similarity

API ID: memcpy$memset
String ID: -journal$immutable$nolock
API String ID: 438689982-4201244970
Opcode ID: b889cb4f4768661f7f9881cf31fb090a6ebf8d29dfe016ab079dc1ba7c80e3ed
Instruction ID: f3ae2ea58bfcd6911736b20de7354641ef2cd9c80c83578aadd95a8a8286a32a
Opcode Fuzzy Hash: b889cb4f4768661f7f9881cf31fb090a6ebf8d29dfe016ab079dc1ba7c80e3ed
Instruction Fuzzy Hash: 53327262A0AB82AAEB559F26D45037937A2FF45BE4F084234CA5E077D8DF3CE455C324

Function 00007FF77A826964 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77A826698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77A8266D9
Part of subcall function 00007FF77A826698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77A826757
Part of subcall function 00007FF77A826698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF77A8267A8

CreateFileW.KERNEL32 ref: 00007FF77A826A6A
CreateFileW.KERNEL32 ref: 00007FF77A826ABA
GetLastError.KERNEL32 ref: 00007FF77A826AEA
GetFileType.KERNEL32 ref: 00007FF77A826AFF
GetLastError.KERNEL32 ref: 00007FF77A826B09
CloseHandle.KERNEL32 ref: 00007FF77A826B3C
CloseHandle.KERNEL32 ref: 00007FF77A826C9F
CreateFileW.KERNEL32 ref: 00007FF77A826CD4
GetLastError.KERNEL32 ref: 00007FF77A826CE3

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: 1eae22ca7cdb0205b4883194a906c2ce7cca20ce3a418606e81f6a8b61932562
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: DEC18C33A38A4686FB11EF65C4906BCB761E749BA8B814279DA1E577E4DF38D061C310

Function 00007FF8A8282250 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 586stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A82822C7
memcpy.VCRUNTIME140 ref: 00007FF8A8282403

Strings

:memory:, xrefs: 00007FF8A82822BD

Memory Dump Source

Source File: 00000002.00000002.3277207698.00007FF8A8261000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FF8A8260000, based on PE: true

Associated: 00000002.00000002.3277178249.00007FF8A8260000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.3277331741.00007FF8A8394000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.3277382731.00007FF8A83C3000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.3277410291.00007FF8A83C8000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8260000_Creal.jbxd

Similarity

API ID: memcpystrcmp
String ID: :memory:
API String ID: 4075415522-2920599690
Opcode ID: b8be58b5b70b0294c8f094e668d780ddba5de25dfe3bb3f8cfbfc4a8bfd5efdc
Instruction ID: b6050b8003a70b5edfe2cdfec3cb6c8632bca6980295b9df354e0bd8e6e2c431
Opcode Fuzzy Hash: b8be58b5b70b0294c8f094e668d780ddba5de25dfe3bb3f8cfbfc4a8bfd5efdc
Instruction Fuzzy Hash: A2428162A0EB82A6EF658B25D55037A77A0FF65BC4F084135CE4E03799DF3CE4958328

Function 00007FF77A809280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF77A8092B3
FindClose.KERNEL32 ref: 00007FF77A8092C2

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: c07d237357ad059ed8afe6ae591b2179998d84a6897a83ed5549c4517b96ae90
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: 37F0A423A3964286F7619B64B498766F390BB84724F840235E9BD02AE4DF3CD0688A00

Function 00007FF8A8271230 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FF8A8271255

Memory Dump Source

Source File: 00000002.00000002.3277207698.00007FF8A8261000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FF8A8260000, based on PE: true

Associated: 00000002.00000002.3277178249.00007FF8A8260000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.3277331741.00007FF8A8394000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.3277382731.00007FF8A83C3000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.3277410291.00007FF8A83C8000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8260000_Creal.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 0609f6becf4837133f86ac5623d419228c70d3b405efdb4a8828f98acc38b35e
Instruction ID: fcebe6a485f2d169b3e6cc5fbc1e25825bdbe866f87f85a346cb51b40f917c6d
Opcode Fuzzy Hash: 0609f6becf4837133f86ac5623d419228c70d3b405efdb4a8828f98acc38b35e
Instruction Fuzzy Hash: F0A10FA1E0BF47A1FE948B56E85437672A1FF44BC0F580535CA8D477A4EF6CE4988328

Function 00007FF8A92D1C1C Relevance: 70.6, APIs: 37, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A9316EEC
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9317113
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A931712B
ERR_new.LIBCRYPTO-3 ref: 00007FF8A931728B
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A93172A3
BIO_clear_flags.LIBCRYPTO-3 ref: 00007FF8A931730E
BIO_set_flags.LIBCRYPTO-3 ref: 00007FF8A931731B
memcpy.VCRUNTIME140 ref: 00007FF8A931735A
ERR_new.LIBCRYPTO-3 ref: 00007FF8A931747D
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9317495
memcpy.VCRUNTIME140 ref: 00007FF8A9317510
OPENSSL_cleanse.LIBCRYPTO-3 ref: 00007FF8A9317543
ERR_new.LIBCRYPTO-3 ref: 00007FF8A93175BB
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A93175D3
ERR_new.LIBCRYPTO-3 ref: 00007FF8A93175E8
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9317600
ERR_new.LIBCRYPTO-3 ref: 00007FF8A93176E8
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9317700
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9317720
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9317738
ERR_new.LIBCRYPTO-3 ref: 00007FF8A931774D
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9317765
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A931786E

Strings

..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FF8A9317124, 00007FF8A931729C, 00007FF8A931748E, 00007FF8A93175CC, 00007FF8A93175F9, 00007FF8A9317631, 00007FF8A931766B, 00007FF8A93176CC, 00007FF8A93176F9, 00007FF8A9317731, 00007FF8A931775E, 00007FF8A93177A6, 00007FF8A93177CD, 00007FF8A9317867
SSL alert number %d, xrefs: 00007FF8A9317682
ssl3_read_bytes, xrefs: 00007FF8A9317118, 00007FF8A9317290, 00007FF8A9317482, 00007FF8A93175C0, 00007FF8A93175ED, 00007FF8A9317625, 00007FF8A931765F, 00007FF8A93176C0, 00007FF8A93176ED, 00007FF8A9317725, 00007FF8A9317757, 00007FF8A931779A, 00007FF8A93177C6, 00007FF8A9317860

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug$memcpy$L_cleanseO_clear_flagsO_set_flags
String ID: ..\s\ssl\record\rec_layer_s3.c$SSL alert number %d$ssl3_read_bytes
API String ID: 480058824-3615793073
Opcode ID: 6ce1f1e6ab867371c9ac5fdbcfd9244af31884eb36a4143032fe0f8282fb1a6d
Instruction ID: 5847467071154d5e385e5c5379affae1602e53171a1d2480fb8f97c625a750d9
Opcode Fuzzy Hash: 6ce1f1e6ab867371c9ac5fdbcfd9244af31884eb36a4143032fe0f8282fb1a6d
Instruction Fuzzy Hash: DE526F21A0EEC2A5FF649F55D4403BA62B1EF457C4F686035DA4E87AA5EF3DE841C700

Function 00007FF8B7E08470 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 190
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B7E084AB
PyErr_SetString.PYTHON313 ref: 00007FF8B7E084F5
PyUnicode_FSConverter.PYTHON313 ref: 00007FF8B7E08507
PyErr_ExceptionMatches.PYTHON313 ref: 00007FF8B7E0851B
PyUnicode_FSConverter.PYTHON313 ref: 00007FF8B7E0853E
PyErr_ExceptionMatches.PYTHON313 ref: 00007FF8B7E08552
PyUnicode_AsASCIIString.PYTHON313 ref: 00007FF8B7E08581
PyErr_ExceptionMatches.PYTHON313 ref: 00007FF8B7E08599
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E085D6
PyObject_CheckBuffer.PYTHON313 ref: 00007FF8B7E085F9
PyObject_GetBuffer.PYTHON313 ref: 00007FF8B7E0860D
PyBuffer_Release.PYTHON313 ref: 00007FF8B7E08624
PyBuffer_Release.PYTHON313 ref: 00007FF8B7E08652
PyEval_SaveThread.PYTHON313 ref: 00007FF8B7E08674
SSL_CTX_load_verify_locations.LIBSSL-3 ref: 00007FF8B7E08687
PyEval_RestoreThread.PYTHON313 ref: 00007FF8B7E08692
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B7E0869C
PyErr_SetFromErrno.PYTHON313 ref: 00007FF8B7E086B1
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E086B7
_Py_Dealloc.PYTHON313(?,?,?,?,?,?,?,?,?,00007FF8A8E161F0,?,?,00007FF8A8E161F0,?,00007FF8A8E161F0,00007FF8B7E08450), ref: 00007FF8B7E086EB
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E08705

Strings

cadata should be a contiguous buffer with a single dimension, xrefs: 00007FF8B7E0862A
cadata should be an ASCII string or a bytes-like object, xrefs: 00007FF8B7E085A7
capath should be a valid filesystem path, xrefs: 00007FF8B7E08560
cafile, capath and cadata cannot be all omitted, xrefs: 00007FF8B7E084E4
cafile should be a valid filesystem path, xrefs: 00007FF8B7E08529

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_$DeallocExceptionMatchesUnicode_$BufferBuffer_ConverterEval_Object_ReleaseStringThread_errno$CheckErrnoFromR_clear_errorRestoreSaveX_load_verify_locations
String ID: cadata should be a contiguous buffer with a single dimension$cadata should be an ASCII string or a bytes-like object$cafile should be a valid filesystem path$cafile, capath and cadata cannot be all omitted$capath should be a valid filesystem path
API String ID: 3514852180-3904065072
Opcode ID: 4b569e1828d5298e13ff4229d83b18081c11c23e268f6572ed8ed53cd8f90d79
Instruction ID: ca2b55d8d6be53bb78662068419609c25537db4e630b5c0b5ad64d9fd5e2b0e7
Opcode Fuzzy Hash: 4b569e1828d5298e13ff4229d83b18081c11c23e268f6572ed8ed53cd8f90d79
Instruction Fuzzy Hash: B3813925A09B4689FA64AB6DE95A27D23A0BF48FD8F444431DF0E57AB4DF3CE444C700

Function 00007FF8B7E04F10 Relevance: 35.1, APIs: 15, Strings: 5, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyErr_SetString.PYTHON313 ref: 00007FF8B7E04F53
BIO_new_mem_buf.LIBCRYPTO-3 ref: 00007FF8B7E04F80
SSL_CTX_get_cert_store.LIBSSL-3 ref: 00007FF8B7E04FAF
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B7E04FCD
d2i_X509_bio.LIBCRYPTO-3 ref: 00007FF8B7E04FE0
SSL_CTX_get_default_passwd_cb_userdata.LIBSSL-3 ref: 00007FF8B7E04FEC
SSL_CTX_get_default_passwd_cb.LIBSSL-3 ref: 00007FF8B7E04FF9
PEM_read_bio_X509.LIBCRYPTO-3 ref: 00007FF8B7E0500A
X509_STORE_add_cert.LIBCRYPTO-3 ref: 00007FF8B7E05023
X509_free.LIBCRYPTO-3 ref: 00007FF8B7E0502E
ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B7E05038
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E05066
ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B7E0507F
BIO_free.LIBCRYPTO-3 ref: 00007FF8B7E050D5
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E0511B

Part of subcall function 00007FF8B7E06750: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B7E06768
Part of subcall function 00007FF8B7E06750: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E06791

Strings

not enough data: cadata does not contain a certificate, xrefs: 00007FF8B7E05097
Empty certificate data, xrefs: 00007FF8B7E04F49
Can't allocate buffer, xrefs: 00007FF8B7E04F92
Certificate data is too long., xrefs: 00007FF8B7E04F71
no start line: cadata does not contain a certificate, xrefs: 00007FF8B7E0509E

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: R_clear_errorR_peek_last_error$E_add_certErr_M_read_bio_O_ctrlO_freeO_new_mem_bufStringX509X509_X509_bioX509_freeX_get_cert_storeX_get_default_passwd_cbX_get_default_passwd_cb_userdatad2i_
String ID: Can't allocate buffer$Certificate data is too long.$Empty certificate data$no start line: cadata does not contain a certificate$not enough data: cadata does not contain a certificate
API String ID: 2827233063-3246380861
Opcode ID: f77df0b0a087a1a67b16f0981dcb06e07524f71215003e28bcc92bd1838cc09b
Instruction ID: 38b68cf40bcbf87e006a12cea5e7da7f9562846521cb1357399e7c0856dfa954
Opcode Fuzzy Hash: f77df0b0a087a1a67b16f0981dcb06e07524f71215003e28bcc92bd1838cc09b
Instruction Fuzzy Hash: B3518321E08B0786FA646B2EA85263E63A1BF85FC8F544535DF5E877B0EF3CE4458600

Function 00007FF8B7E0A874 Relevance: 34.7, APIs: 23, Instructions: 200
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PySet_New.PYTHON313 ref: 00007FF8B7E0A895

Part of subcall function 00007FF8B7E0CCDC: CertOpenStore.CRYPT32 ref: 00007FF8B7E0CD07

_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0A8C8
GetLastError.KERNEL32 ref: 00007FF8B7E0A8CE
PyErr_SetFromWindowsErr.PYTHON313 ref: 00007FF8B7E0A8D6
PyBytes_FromStringAndSize.PYTHON313 ref: 00007FF8B7E0A8F0
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0A93D
PyTuple_New.PYTHON313 ref: 00007FF8B7E0A961
PySet_Add.PYTHON313 ref: 00007FF8B7E0A98A
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0A9A3
CertEnumCertificatesInStore.CRYPT32 ref: 00007FF8B7E0A9AF
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0A9D7
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0A9F3
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0AA0C
CertFreeCertificateContext.CRYPT32 ref: 00007FF8B7E0AA50
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0AA6B
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0AA84
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0AA9D
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0AAB6
CertCloseStore.CRYPT32 ref: 00007FF8B7E0AAC4
PySequence_List.PYTHON313 ref: 00007FF8B7E0AAE4
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0AAFB

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Dealloc$Cert$Store$FromSet_$Bytes_CertificateCertificatesCloseContextEnumErr_ErrorFreeLastListOpenSequence_SizeStringTuple_Windows
String ID:
API String ID: 3212101135-0
Opcode ID: 7eb488ba5e32441d0f01a54a1631f0afa1a8ca53c20eef8b2eeae5f161c725b6
Instruction ID: dac06123ad87fbf38451389b7c523ca959df9100701f807a1b5e6f1a6261aa07
Opcode Fuzzy Hash: 7eb488ba5e32441d0f01a54a1631f0afa1a8ca53c20eef8b2eeae5f161c725b6
Instruction Fuzzy Hash: AA815935E0D7468AFA29AF2DAA1613E63A5BF44FD4F484434CB0E0A7F1DE3DA4658340

Function 00007FF8A92D14BF Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8A932F1BC
SetLastError.KERNEL32 ref: 00007FF8A932F1C3
ERR_new.LIBCRYPTO-3 ref: 00007FF8A932F2A4
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A932F2BC
ERR_new.LIBCRYPTO-3 ref: 00007FF8A932F2E5
ERR_new.LIBCRYPTO-3 ref: 00007FF8A932F30A
ERR_new.LIBCRYPTO-3 ref: 00007FF8A932F32C
ERR_new.LIBCRYPTO-3 ref: 00007FF8A932F34D
ERR_new.LIBCRYPTO-3 ref: 00007FF8A932F372
ERR_new.LIBCRYPTO-3 ref: 00007FF8A932F39B
ERR_new.LIBCRYPTO-3 ref: 00007FF8A932F44B
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A932F463
ERR_new.LIBCRYPTO-3 ref: 00007FF8A932F47E
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A932F496
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A932F4A8
BUF_MEM_free.LIBCRYPTO-3 ref: 00007FF8A932F4B3

Strings

state_machine, xrefs: 00007FF8A932F2AE, 00007FF8A932F450, 00007FF8A932F483
..\s\ssl\statem\statem.c, xrefs: 00007FF8A932F2B5, 00007FF8A932F45C, 00007FF8A932F48F

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_new$R_set_debug$ErrorLastM_freeR_clear_errorR_set_error
String ID: ..\s\ssl\statem\statem.c$state_machine
API String ID: 1370845099-1722249466
Opcode ID: 0d32384d7316208965964d29d91abcf0daa34d1bc1be83e9d84aa4d08f48a424
Instruction ID: c44d7131be85151bdfc8df9a0bdac41448c28bd669d202b706806a62f1f2b3d1
Opcode Fuzzy Hash: 0d32384d7316208965964d29d91abcf0daa34d1bc1be83e9d84aa4d08f48a424
Instruction Fuzzy Hash: A3A1A625A0EED3A5FB649E25D4413BD22F4EF61BC4F686031DA0DC66CACE7CE8418B51

Function 00007FF8B7E091B8 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 163
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF8B7E03C98: PyWeakref_GetRef.PYTHON313 ref: 00007FF8B7E03CAA
Part of subcall function 00007FF8B7E03C98: _Py_Dealloc.PYTHON313 ref: 00007FF8B7E03CCC

SSL_get_rbio.LIBSSL-3 ref: 00007FF8B7E0923A
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B7E0924F
SSL_get_wbio.LIBSSL-3 ref: 00007FF8B7E09259
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B7E0926A
_PyDeadline_Init.PYTHON313 ref: 00007FF8B7E09280
PyEval_SaveThread.PYTHON313 ref: 00007FF8B7E09291
SSL_do_handshake.LIBSSL-3 ref: 00007FF8B7E0929E
PyEval_RestoreThread.PYTHON313 ref: 00007FF8B7E092D9
PyErr_CheckSignals.PYTHON313 ref: 00007FF8B7E092F0
_PyDeadline_Get.PYTHON313 ref: 00007FF8B7E09308
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0936C
PyErr_SetString.PYTHON313 ref: 00007FF8B7E093A8
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E093C0

Part of subcall function 00007FF8B7E06750: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B7E06768
Part of subcall function 00007FF8B7E06750: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E06791

Strings

Underlying socket connection gone, xrefs: 00007FF8B7E09205
_ssl.c:1003: The handshake operation timed out, xrefs: 00007FF8B7E093F5
_ssl.c:1011: Underlying socket too large for select()., xrefs: 00007FF8B7E0938C
_ssl.c:1007: Underlying socket has been closed., xrefs: 00007FF8B7E09395

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Dealloc$Deadline_Err_Eval_O_ctrlThread$CheckInitL_do_handshakeL_get_rbioL_get_wbioR_clear_errorR_peek_last_errorRestoreSaveSignalsStringWeakref_
String ID: Underlying socket connection gone$_ssl.c:1003: The handshake operation timed out$_ssl.c:1007: Underlying socket has been closed.$_ssl.c:1011: Underlying socket too large for select().
API String ID: 288340648-2389777663
Opcode ID: 7265f02c1a542241e3f7e2062acdd0cc4db0a65ef925610e45703ceb09e98bfe
Instruction ID: 28cdfb3819aa21a223168af3ac8fb9ba7f0ec42c4b9af99a49619369f85284f1
Opcode Fuzzy Hash: 7265f02c1a542241e3f7e2062acdd0cc4db0a65ef925610e45703ceb09e98bfe
Instruction Fuzzy Hash: 44612B32A08B4286EA649F2AA89657E63A0FF89FC4F545432DF4E477B5DE3DE4418700

Function 00007FF8A92D1C62 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A9336014
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A933602C
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8A9336061
OPENSSL_sk_value.LIBCRYPTO-3 ref: 00007FF8A9336076
X509_get0_pubkey.LIBCRYPTO-3 ref: 00007FF8A9336081
ERR_new.LIBCRYPTO-3 ref: 00007FF8A93360B7
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A93360CF
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9336114
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A933612C

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A9336025, 00007FF8A93360C8, 00007FF8A9336125, 00007FF8A93361F7
tls_post_process_server_certificate, xrefs: 00007FF8A9336019, 00007FF8A93360BC, 00007FF8A9336119, 00007FF8A93361EB

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug$L_sk_valueR_clear_errorX509_get0_pubkey
String ID: ..\s\ssl\statem\statem_clnt.c$tls_post_process_server_certificate
API String ID: 2779586248-3767186838
Opcode ID: 4b3c939a7b197642555fd03858451e68e0e2822e76a72f073d6beb959d7d97e5
Instruction ID: 6d3f83794beef35621f0e96cb4e1055712b5255c41b13f37f045d289f4c2fbec
Opcode Fuzzy Hash: 4b3c939a7b197642555fd03858451e68e0e2822e76a72f073d6beb959d7d97e5
Instruction Fuzzy Hash: D4515261B0EAC265FB509F16D4567BE22B0EB84BC8F546035DE1DCB79ADF2CE5818700

Function 00007FF8A92D14F1 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A9317C05
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9317C1D
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9317D0D
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9317D25
SetLastError.KERNEL32 ref: 00007FF8A9317D72
BIO_read.LIBCRYPTO-3 ref: 00007FF8A9317D99
BIO_test_flags.LIBCRYPTO-3 ref: 00007FF8A9317DBC
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8A9317DD4
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9317E2C
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9317E44
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9317E95
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9317EAD

Strings

ssl3_read_n, xrefs: 00007FF8A9317C0A, 00007FF8A9317D12, 00007FF8A9317E31, 00007FF8A9317E9A
..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FF8A9317C16, 00007FF8A9317D1E, 00007FF8A9317E3D, 00007FF8A9317EA6

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug$ErrorLastO_ctrlO_readO_test_flags
String ID: ..\s\ssl\record\rec_layer_s3.c$ssl3_read_n
API String ID: 3359833097-4226281315
Opcode ID: 8ebe03c6254369f7a723c3bcb68090796815b0d3cdd902c278eaeef658847182
Instruction ID: 8eb41ee8bbacc28d79308452dddaf1c0d423c829af1c13c694c254880fe67640
Opcode Fuzzy Hash: 8ebe03c6254369f7a723c3bcb68090796815b0d3cdd902c278eaeef658847182
Instruction Fuzzy Hash: 19A18E25B0EEC661FB50AF25D8507B922A0EF44BC4F685131DD5E87BE9EF38E8458710

Function 00007FF77A801950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF77A807F90: _fread_nolock.LIBCMT ref: 00007FF77A80803A

_fread_nolock.LIBCMT ref: 00007FF77A801A1B

Part of subcall function 00007FF77A802910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF77A801B6A), ref: 00007FF77A80295E

Strings

Failed to seek to cookie position!, xrefs: 00007FF77A8019EE
Could not read full TOC!, xrefs: 00007FF77A801B55
Could not allocate buffer for TOC!, xrefs: 00007FF77A801B1B
Error on file., xrefs: 00007FF77A801B8D
calloc, xrefs: 00007FF77A801A68
fread, xrefs: 00007FF77A801A32, 00007FF77A801B5C
MEI, xrefs: 00007FF77A801991
fseek, xrefs: 00007FF77A8019F5
malloc, xrefs: 00007FF77A801B22
Failed to read cookie!, xrefs: 00007FF77A801A2B
Could not allocate memory for archive structure!, xrefs: 00007FF77A801A61

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: ed5d37bd12c92faad5b6bf746ee66ab535d4fcd70a2e81ebf99a2f5a44e873f3
Instruction ID: 101b192b7f60a15506a12e8ce980da7159b136c8d8aee5a4eec3a2e338dd3992
Opcode Fuzzy Hash: ed5d37bd12c92faad5b6bf746ee66ab535d4fcd70a2e81ebf99a2f5a44e873f3
Instruction Fuzzy Hash: 2E81E573A3D68286F722EB14D0452BAE3E0EF48780FC44475D98D437A5EE3CE5A58760

Function 00007FF8A932ECC0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

read_state_machine, xrefs: 00007FF8A932EF4D, 00007FF8A932EF8A, 00007FF8A932EFB2, 00007FF8A932F025
..\s\ssl\statem\statem.c, xrefs: 00007FF8A932EF54, 00007FF8A932EF91, 00007FF8A932EFBE, 00007FF8A932F031

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID:
String ID: ..\s\ssl\statem\statem.c$read_state_machine
API String ID: 0-3323778802
Opcode ID: c8972936501a879b7e84c5051af7770807ba9d65b882bacb7b5450dec163fd8f
Instruction ID: bb3fa9be6496ea6311f16cecc27fbb1a31ad42d1213c824607829fcba6ebe78a
Opcode Fuzzy Hash: c8972936501a879b7e84c5051af7770807ba9d65b882bacb7b5450dec163fd8f
Instruction Fuzzy Hash: 65919021A0EAC2A5F7609F25D4413BD37A4EF90BC8F545035DA1D87A99CF7DE446C740

Function 00007FF77A802180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDC.USER32 ref: 00007FF77A8021AB
SelectObject.GDI32 ref: 00007FF77A8021F2
DrawTextW.USER32 ref: 00007FF77A802215
SelectObject.GDI32 ref: 00007FF77A80222B
ReleaseDC.USER32 ref: 00007FF77A80223B
MoveWindow.USER32 ref: 00007FF77A80228B
MoveWindow.USER32 ref: 00007FF77A8022CB
MoveWindow.USER32 ref: 00007FF77A80231E
MoveWindow.USER32 ref: 00007FF77A802366

Strings

P%, xrefs: 00007FF77A8021FF

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: ca09c9b76f70415b535db95390a1cf56cbe5a7bb6ac22a0f2f428edd5025adf5
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 3C51E626624BA186E6349F26E4581BAF7A1F798B61F004131EFDE43794DF3CE055DB20

Function 00007FF8A932F6B0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ERR_new.LIBCRYPTO-3(?,?,FFFFFFFF,00000000,00007FF8A932F416), ref: 00007FF8A932F762
ERR_set_debug.LIBCRYPTO-3(?,?,FFFFFFFF,00000000,00007FF8A932F416), ref: 00007FF8A932F77A

Strings

..\s\ssl\statem\statem.c, xrefs: 00007FF8A932F773, 00007FF8A932FA62
write_state_machine, xrefs: 00007FF8A932F76C, 00007FF8A932FA5B

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ..\s\ssl\statem\statem.c$write_state_machine
API String ID: 193678381-552286378
Opcode ID: e5d1fe94fccde403d4ccffd35c49600b4c13cc4e7178492653a3fc2a8d140b00
Instruction ID: 05b7704793b0c169141b11a195c21cc4383ae088d1618381261d769333cd7f88
Opcode Fuzzy Hash: e5d1fe94fccde403d4ccffd35c49600b4c13cc4e7178492653a3fc2a8d140b00
Instruction Fuzzy Hash: 8FA17D22A0EA92A5FB649F29D4543BD23B4EB50BC8F445136CA4DC3A99CF7CE945CB01

Function 00007FF77A801470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF77A8014DE
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF77A801518
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF77A8015DF
Failed to extract %s: failed to open archive file!, xrefs: 00007FF77A80149F
fread, xrefs: 00007FF77A8015E6
fseek, xrefs: 00007FF77A8014E5
malloc, xrefs: 00007FF77A80151F

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 63c68e8786c2abf00790aed082817e0e68851266c528218f2f0b63e7b600aa09
Instruction ID: c8a36b70edf9c3480e1ab9499f0d9e461a1373b983bc50ceda3d31758a93bac2
Opcode Fuzzy Hash: 63c68e8786c2abf00790aed082817e0e68851266c528218f2f0b63e7b600aa09
Instruction Fuzzy Hash: 48417F33A3864286FA12EB21D4405BAE390BF44794FC44872ED4D4BBB5EE3CE5618720

Function 00007FF8B7E0A790 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_PyArg_UnpackKeywords.PYTHON313 ref: 00007FF8B7E0A7E1
_PyArg_BadArgument.PYTHON313 ref: 00007FF8B7E0A81A
PyUnicode_AsUTF8AndSize.PYTHON313 ref: 00007FF8B7E0A827
PyErr_SetString.PYTHON313 ref: 00007FF8B7E0A859

Strings

enum_certificates, xrefs: 00007FF8B7E0A80C
str, xrefs: 00007FF8B7E0A805
embedded null character, xrefs: 00007FF8B7E0A84F
argument 'store_name', xrefs: 00007FF8B7E0A813

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Arg_$ArgumentErr_KeywordsSizeStringUnicode_Unpack
String ID: argument 'store_name'$embedded null character$enum_certificates$str
API String ID: 2966986319-2881692381
Opcode ID: 7f5ba209273cadbaaa0886b87aea74cb0cebff2d6555443c0b37e337afc2d137
Instruction ID: 4187a53e20c8ce54dbf73521fc5990ae67225c6d1bfe056081caf3e9d9da12d3
Opcode Fuzzy Hash: 7f5ba209273cadbaaa0886b87aea74cb0cebff2d6555443c0b37e337afc2d137
Instruction Fuzzy Hash: 2B216661A0DB0A85FE509B19E85A27D63A0EF48FD0F544236DA5E477B4EF3CE545C700

Function 00007FF77A801210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF77A8012EF
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF77A801276
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF77A80141E
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF77A8012BA
1.3.1, xrefs: 00007FF77A801249
malloc, xrefs: 00007FF77A8012C1, 00007FF77A8012F6

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 096f828560730c5e91f8963ea1229aecabbed89a92b0e893cc7cf6d4f043b132
Instruction ID: feceda8afeee949dc02d32abde7a03b7c39a5d7e83b2211dd0310cb5e60656cd
Opcode Fuzzy Hash: 096f828560730c5e91f8963ea1229aecabbed89a92b0e893cc7cf6d4f043b132
Instruction Fuzzy Hash: 8551CF23A39A4285F622BB11E4003BAE2D1BF847A4FC84575EE4D477E5EE3CE4618720

Function 00007FF77A8036B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF77A803804), ref: 00007FF77A8036E1
GetLastError.KERNEL32(?,00007FF77A803804), ref: 00007FF77A8036EB

Part of subcall function 00007FF77A802C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF77A803706,?,00007FF77A803804), ref: 00007FF77A802C9E
Part of subcall function 00007FF77A802C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF77A803706,?,00007FF77A803804), ref: 00007FF77A802D63
Part of subcall function 00007FF77A802C50: MessageBoxW.USER32 ref: 00007FF77A802D99

Strings

GetModuleFileNameW, xrefs: 00007FF77A8036FA
\\?\, xrefs: 00007FF77A80375A
Failed to resolve full path to executable %ls., xrefs: 00007FF77A803739
Failed to convert executable path to UTF-8., xrefs: 00007FF77A803790
Failed to obtain executable path., xrefs: 00007FF77A8036F3

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: dc3ca2f4c4b5dcfbcebf957f030a81dd1569d1837a67c2a48419cdf701f5e186
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: 592156A3F3854251FA27B724E8153B7E290BF88354FC04176E65D865F5EE2CE524C760

Function 00007FF77A81BA5C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A81BE89

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c3f57b6cd1f658b3a1cfdd45bc75f21d2f6c8be166295f0eb40444005b392bd6
Instruction ID: 294c4569b739a5326916fd4b1a06613f8b7ee3af8f6c7e39521050f1ef2ac7e3
Opcode Fuzzy Hash: c3f57b6cd1f658b3a1cfdd45bc75f21d2f6c8be166295f0eb40444005b392bd6
Instruction Fuzzy Hash: 4DC1132393C68681F762BB15D0486BDEB50EB81B80FD909B9EA4D073B1DE7CE4658720

Function 00007FF8A93415A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A93416C6
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A93416DE
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9341761
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9341779

Strings

..\s\ssl\statem\statem_lib.c, xrefs: 00007FF8A93416D7, 00007FF8A9341772
tls_get_message_header, xrefs: 00007FF8A93416CB, 00007FF8A9341766

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ..\s\ssl\statem\statem_lib.c$tls_get_message_header
API String ID: 193678381-2714770296
Opcode ID: f45773da2448751231a1ca749fc05bc9d2df97a6a3f744ec35cbeb086fc78321
Instruction ID: 83d3b718b635d660812d52377019e8637f68786b65bf5fe00d9937682d44f49f
Opcode Fuzzy Hash: f45773da2448751231a1ca749fc05bc9d2df97a6a3f744ec35cbeb086fc78321
Instruction Fuzzy Hash: BF614C32A0DFC2A5EB508F61E4903A93BA4EB94BC9F199035DB8D87795DF3CE4648710

Function 00007FF77A806360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF77A806407
Failed to load Python DLL '%ls'., xrefs: 00007FF77A8064A7
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF77A8063C7
LoadLibrary, xrefs: 00007FF77A8064AE
ucrtbase.dll, xrefs: 00007FF77A8063DD
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF77A806456

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
Instruction ID: 44e164f40271806adb526a05ae2708986a0d0e080897f4393b1e23e37962790b
Opcode Fuzzy Hash: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
Instruction Fuzzy Hash: 49416F62A38A8691FA26FB24E4141FAE391FF44350FC00172EA5C436E5EF7CE569C760

Function 00007FF8A92EFD40 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A92EFD62
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92EFD7A
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92EFD8C
ASYNC_get_current_job.LIBCRYPTO-3 ref: 00007FF8A92EFDDB

Strings

SSL_do_handshake, xrefs: 00007FF8A92EFD67
..\s\ssl\ssl_lib.c, xrefs: 00007FF8A92EFD73

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: C_get_current_jobR_newR_set_debugR_set_error
String ID: ..\s\ssl\ssl_lib.c$SSL_do_handshake
API String ID: 2134390360-2964568172
Opcode ID: 3e19f5133db6f9f0995d995d45ee5f37c3958f709a5efffcd3d50ec949d9a66b
Instruction ID: 43e7ead2e136ceafc4fd95634d70fbbc3eae5ea50ec2e8441e05e4211b202151
Opcode Fuzzy Hash: 3e19f5133db6f9f0995d995d45ee5f37c3958f709a5efffcd3d50ec949d9a66b
Instruction Fuzzy Hash: 1D219022F0DAC262FA54AF25F4413AA5291EFC87D4F581231E96D86BDBDE2CE4918640

Function 00007FF8A826FFD0 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 409fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF8A827020A

Part of subcall function 00007FF8A826FA10: memset.VCRUNTIME140 ref: 00007FF8A826FA50
Part of subcall function 00007FF8A826FA10: memset.VCRUNTIME140 ref: 00007FF8A826FADF

Strings

exclusive, xrefs: 00007FF8A827019B
psow, xrefs: 00007FF8A8270581
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FF8A82702E6
winOpen, xrefs: 00007FF8A827047D

Memory Dump Source

Source File: 00000002.00000002.3277207698.00007FF8A8261000.00000020.00000001.01000000.00000016.sdmp, Offset: 00007FF8A8260000, based on PE: true

Associated: 00000002.00000002.3277178249.00007FF8A8260000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.3277331741.00007FF8A8394000.00000002.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.3277382731.00007FF8A83C3000.00000004.00000001.01000000.00000016.sdmpDownload File
Associated: 00000002.00000002.3277410291.00007FF8A83C8000.00000002.00000001.01000000.00000016.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8260000_Creal.jbxd

Similarity

API ID: memset$CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 333288564-3829269058
Opcode ID: 91a16a29fa85a4b7500c484f2e0290924f29dc3ca7676500eb30cdcc977ab085
Instruction ID: a62b45e4219cf58ba9b8d4309fd5cc3ef9f7c3b86d858d3daa82e8e9bde27d49
Opcode Fuzzy Hash: 91a16a29fa85a4b7500c484f2e0290924f29dc3ca7676500eb30cdcc977ab085
Instruction Fuzzy Hash: 58027571E0FA42A6FB548B16E8543BA73A1FF85BD4F084135DE4E426A4DF3CE4498728

Function 00007FF77A802390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF77A8023C8
DialogBoxIndirectParamW.USER32 ref: 00007FF77A80248E
DeleteObject.GDI32 ref: 00007FF77A8024C1
DestroyIcon.USER32 ref: 00007FF77A8024D3

Strings

Unhandled exception in script, xrefs: 00007FF77A8023F8

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 1a8653f9ef4157c26f2335c81c204ff7a5d47729ffdf6617f9212c2ec85f79f4
Instruction ID: 688935ff31453ce44f9e4a1583ed6c982653acbf11831d0f174f99f5e2f82c8f
Opcode Fuzzy Hash: 1a8653f9ef4157c26f2335c81c204ff7a5d47729ffdf6617f9212c2ec85f79f4
Instruction Fuzzy Hash: 8D313273A39A8189F721AB21E8552FAE390FF88784F840175EA4D47BA9DF3CD155C710

Function 00007FF8B7E0CCDC Relevance: 7.6, APIs: 5, Instructions: 64encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32 ref: 00007FF8B7E0CD07
CertOpenStore.CRYPT32 ref: 00007FF8B7E0CD3A
CertAddStoreToCollection.CRYPT32 ref: 00007FF8B7E0CD55
CertCloseStore.CRYPT32 ref: 00007FF8B7E0CD62
CertCloseStore.CRYPT32 ref: 00007FF8B7E0CD8A

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: CertStore$CloseOpen$Collection
String ID:
API String ID: 1995843185-0
Opcode ID: aaba8413391d0e4b0f15a030ceca06c547fe89b67491544b9257196f0b72f74b
Instruction ID: 856636c192b9b7a85be22adfdf3952ca818cabde347fe858b38583698348661c
Opcode Fuzzy Hash: aaba8413391d0e4b0f15a030ceca06c547fe89b67491544b9257196f0b72f74b
Instruction Fuzzy Hash: A221BE32B18B518AF7249F6AE8056AD66A1FF88FC4F448431CE0D07B74EF3CE5468600

Function 00007FF77A815628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A815655
CreateFileW.KERNEL32 ref: 00007FF77A815694
CloseHandle.KERNEL32 ref: 00007FF77A8156C9

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction ID: 4905f0c8663b86e07139a34ac13c9e468399e5e3ae57f12b7f41cc31f2f6449f
Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction Fuzzy Hash: D041B223D3878183F715AB24D554379E360FB947A4F908B79E69C03AE1EF6CA0B08760

Function 00007FF77A8020C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF77A8020F4
SetWindowLongPtrW.USER32 ref: 00007FF77A802116
GetWindowLongPtrW.USER32 ref: 00007FF77A802140
InvalidateRect.USER32 ref: 00007FF77A802160

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 8304c73b7791e8ec30470b715f94cb825763324339d8a875f7d625ca5b69910d
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 6611E922F3C14242F756A769E58827BD2D1FF98780FC44070DB4907BA9DD6DE8E58210

Function 00007FF77A80CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77A80CE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF77A80CE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF77A80CC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF77A80CCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF77A80CD21

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: 21e00b564d5c23ae99c6fcd178a7b928a25528813e7f45eb005624276fd59879
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: 99314863E3914345FA56BF64D4513BAE6C2AF91384FC454B8E94E4B2F3DE2CB8248271

Function 00007FF8B7E08C74 Relevance: 4.5, APIs: 3, Instructions: 28threadCOMMON

Download Yara Rule

APIs

PyEval_SaveThread.PYTHON313 ref: 00007FF8B7E08C86
SSL_CTX_set_default_verify_paths.LIBSSL-3 ref: 00007FF8B7E08C93
PyEval_RestoreThread.PYTHON313 ref: 00007FF8B7E08C9E

Part of subcall function 00007FF8B7E06750: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B7E06768
Part of subcall function 00007FF8B7E06750: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E06791

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Eval_Thread$R_clear_errorR_peek_last_errorRestoreSaveX_set_default_verify_paths
String ID:
API String ID: 4060370505-0
Opcode ID: 905a097660643380bd56d069453f4a83bda0b9af1836d3d7ad8f3158739b5a43
Instruction ID: b5ffc54af3a78ff8b72eaffe230a15d3430f463eccb033166f6ab181130f5f43
Opcode Fuzzy Hash: 905a097660643380bd56d069453f4a83bda0b9af1836d3d7ad8f3158739b5a43
Instruction Fuzzy Hash: 94F0F936A08B9282EB109B6AF44602E6370FF88FD4B584831DF8E47B74CF7CD4558600

Function 00007FF8A932F070 Relevance: 3.3, APIs: 2, Instructions: 303COMMON

Download Yara Rule

APIs

ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8A932F1BC
SetLastError.KERNEL32 ref: 00007FF8A932F1C3
BUF_MEM_free.LIBCRYPTO-3 ref: 00007FF8A932F4B3

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: ErrorLastM_freeR_clear_error
String ID:
API String ID: 1231514297-0
Opcode ID: 8603938ac5e1fbf28ba7d9b8f40a04eb8b77d7e104ff7c3c46d49aacb8bdd123
Instruction ID: cb2db58e2717a10a49e83f8d8bb2fca4c6741ceba04fc439b0c6ffd3231a423c
Opcode Fuzzy Hash: 8603938ac5e1fbf28ba7d9b8f40a04eb8b77d7e104ff7c3c46d49aacb8bdd123
Instruction Fuzzy Hash: 8321F936D0EBD299F7689E25A85127D32F4EF21BC4F686434DA4CC2686DE78E441CB41

Function 00007FF77A81013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A810180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A810277

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: 3381eb0b30c2518f15c624f148ba55c715fda8d78f8c28d0e59450c16b215f82
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: 09513D63B3924186F726BA25DC00679E2A1BF40BA4FA84F79DD7D073E5CE3CD5218620

Function 00007FF8A92D1DF7 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8A932F1BC
SetLastError.KERNEL32 ref: 00007FF8A932F1C3
BUF_MEM_free.LIBCRYPTO-3 ref: 00007FF8A932F4B3

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: ErrorLastM_freeR_clear_error
String ID:
API String ID: 1231514297-0
Opcode ID: 9e1f5a9259e0aa48b60180f011c1c6fd63c9391dcfad61ef29b2cdf2ae2c5ec5
Instruction ID: 8f90084cb537eb21e4055f34e65ee0018805178edc69effb5439d96c7c90ebe3
Opcode Fuzzy Hash: 9e1f5a9259e0aa48b60180f011c1c6fd63c9391dcfad61ef29b2cdf2ae2c5ec5
Instruction Fuzzy Hash: 0C21C631E0EBD2A5F7686E25A44127E22F4EF61BC4F64A130D90DC6696CE3CE841CA51

Function 00007FF77A81C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF77A81C2CD), ref: 00007FF77A81C180
GetLastError.KERNEL32(?,?,?,?,?,00007FF77A81C2CD), ref: 00007FF77A81C18A

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: 37c75212ba77c0adf9e7d71258180011070f22f752bf74efc432ccb620d8a956
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: 6C11E2A2A38A8181FA21AB25F804069E361AB45FF0F944775EEBD077E8CE7CD4208700

Function 00007FF77A81AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF77A81A9D5,?,?,00000000,00007FF77A81AA8A), ref: 00007FF77A81ABC6
GetLastError.KERNEL32(?,?,?,00007FF77A81A9D5,?,?,00000000,00007FF77A81AA8A), ref: 00007FF77A81ABD0

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: 02fb136fe5091d86f27270c48c026a272e2db555cc345cc8896971a822265fd4
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: CA21C913F3C68241FB52B7A1D495379D2829F84790FC84ABDD91E4B7F1DE6CA4614321

Function 00007FF77A81BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A81BED4

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: f084e5fabae78cc5b1cd832dbcbb29da0c58c5b9ecff782c7b2e64e70d844b63
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: B441D63393824587FA36BB19E544279F3A1EB55740F900979D68E877E1CF2CE412CBA0

Function 00007FF8A932EDB0 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

BUF_MEM_grow_clean.LIBCRYPTO-3(?,?,?,FFFFFFFF,00000000,?,00007FF8A932F3FE), ref: 00007FF8A932EE57

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: M_grow_clean
String ID:
API String ID: 964628749-0
Opcode ID: 1aa8bc403af585d6ad140d3c981c2ccf0944b06950901931b16cc14dda0e7e7d
Instruction ID: 7ff37f6f7a40c1e4b1d4577064b66005a96e64f3d58f8d665a6623fcbba245b7
Opcode Fuzzy Hash: 1aa8bc403af585d6ad140d3c981c2ccf0944b06950901931b16cc14dda0e7e7d
Instruction Fuzzy Hash: 91417B32A0EA8696EB649F25D05037D27A5FF90BC8F189139CE4D8B798CF38E841C740

Function 00007FF77A807F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF77A80803A

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 70c2359866287a8af0a4a1e3854a8c08d461412c49f5f124f6ea19d8a31e21e5
Instruction ID: c2638cba8e3e8b660c25bf26fdd8244c5d1e1aadf984116b423b26e671d7c7db
Opcode Fuzzy Hash: 70c2359866287a8af0a4a1e3854a8c08d461412c49f5f124f6ea19d8a31e21e5
Instruction Fuzzy Hash: B021A222F3965146FA12BA22A8043BAE691FF45BD4FC84474EE4C07796DE7DE0A1C710

Function 00007FF77A81B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A81B9C2

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction ID: 89ed4ce91801f307756f44e9e98e6091102c2da616bd75dd0456b28a38f3a2ac
Opcode Fuzzy Hash: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction Fuzzy Hash: 53318263A3860285F712BB65C44537CE690AF80BA0FC509B9E91D473F2EE7CA4628731

Function 00007FF8B7E0837C Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_PyArg_UnpackKeywords.PYTHON313 ref: 00007FF8B7E08401

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Arg_KeywordsUnpack
String ID:
API String ID: 1409375599-0
Opcode ID: 9f51ded2636a1b60185b38b6805e58519e1da1b2f93d7ffa2b68f717ee703bcd
Instruction ID: c366e450d6d6ca262e9034fd05f430d4bed1af12bb3da1c88c2e65ff14a90974
Opcode Fuzzy Hash: 9f51ded2636a1b60185b38b6805e58519e1da1b2f93d7ffa2b68f717ee703bcd
Instruction Fuzzy Hash: CD21D162B09B528AEA61CF4AA81196D6394FF49FC4F450036EF4D277B4DE3CE541C700

Function 00007FF8A92D1F4B Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8A92E06DB

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_ctrl
String ID:
API String ID: 3605655398-0
Opcode ID: ffacaa01b585c98eff8cdd5f9400095c95a35eb81919e94f401bdac9d3660e46
Instruction ID: 6cf594198345dccb5fef2e675eccb151fa05dc3953f88d1d3f8765cb96c3ad10
Opcode Fuzzy Hash: ffacaa01b585c98eff8cdd5f9400095c95a35eb81919e94f401bdac9d3660e46
Instruction Fuzzy Hash: 96215C3270AB8486E7508F65E440BDA77A0FB85B88F484136EF9C8BB4DCF78D5418B14

Function 00007FF77A815F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A815EF9

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 254f15a2de302633862c4e8122464e7de0eec829bcf4d63e3fb2a8442c9e1b61
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: 24119323A3C64181FA66BF15D40057DE260BF85B84FC4497AEA4C57BB6DF3CD4218760

Function 00007FF77A826354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A826377

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: 93f2fd84a85ebaf7d53d671dab79c91862768b5b535a971015819aa69830c9fd
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: D9215373638A8187FB62AF18D440379F6A0FB84B54F944278EA5D476E9DF3CD4218B11

Function 00007FF77A8103BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF77A810410

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 11e5c9f6f094a63acc25ac2868b35eb1229267e440e59b12c8e9ac801a6ea618
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 0601A562B3874540F505EF52D940079E6A1BF85FE4F984AB5DE6C17BE6CE3CE4218310

Function 00007FF8A92D1D48 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8A932F678

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_ctrl
String ID:
API String ID: 3605655398-0
Opcode ID: c921bd486a97e7f46db7fcb7af9098ff3867d55a4c011b1e5539e085f49d76b1
Instruction ID: 2b61583f6bf1b774498b0fd124fab9f0d736ababbe1e2f41dc418178730ce3ec
Opcode Fuzzy Hash: c921bd486a97e7f46db7fcb7af9098ff3867d55a4c011b1e5539e085f49d76b1
Instruction Fuzzy Hash: 59E020E2F0944152F3501F74984676911A0DF9C754F652030E90CC6BC2D69DDCD24E04

Function 00007FF77A808E80 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF77A809390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF77A8045F4,00000000,00007FF77A801985), ref: 00007FF77A8093C9

LoadLibraryExW.KERNEL32(?,00007FF77A806476,?,00007FF77A80336E), ref: 00007FF77A808EA2

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
Instruction ID: c34c6b08cae16871a9b6a768c96665822b5e117cb3b63345043c7891c0a8164e
Opcode Fuzzy Hash: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
Instruction Fuzzy Hash: 0FD0CD02F3514541FA45B767B546675D1515F8DBC0FC8D075EE0D03759DC3CC0514B00

Function 00007FF77A81EB98 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF77A81B32A,?,?,?,00007FF77A814F11,?,?,?,?,00007FF77A81A48A), ref: 00007FF77A81EBED

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction ID: 26fa68152a3d74bdcf8c8e84eda68af09fbfcb2efce683c8e836d11bc3b2f0e5
Opcode Fuzzy Hash: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction Fuzzy Hash: 32F06256B3920282FF5B7665D8952B4D2819F88B80FCC4DB9C90F563F1ED1CE4A14230

Function 00007FF77A81D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF77A810C90,?,?,?,00007FF77A8122FA,?,?,?,?,?,00007FF77A813AE9), ref: 00007FF77A81D63A

Memory Dump Source

Source File: 00000002.00000002.3276690762.00007FF77A801000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF77A800000, based on PE: true

Associated: 00000002.00000002.3276655207.00007FF77A800000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276729991.00007FF77A82B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A83E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276770474.00007FF77A841000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3276846486.00007FF77A844000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff77a800000_Creal.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: 9606e93d1a7ee6e7d2b5fa7c6bf37729a4ad572d2139d74065498f854143a984
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: 8FF05E22F3A20245FE663771D805774D2908F847A0FC80BB8DC2E462E2DF2CA4A081B0

Non-executed Functions

Function 00007FF8B7E08734 Relevance: 107.1, APIs: 50, Strings: 11, Instructions: 305COMMON

Download Yara Rule

APIs

PyDict_New.PYTHON313 ref: 00007FF8B7E08751
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B7E08774
PyLong_FromLong.PYTHON313 ref: 00007FF8B7E0877C
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E0879B
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E087B1
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B7E087CD
PyLong_FromLong.PYTHON313 ref: 00007FF8B7E087D5
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E087F4
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0880A
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B7E08826
PyLong_FromLong.PYTHON313 ref: 00007FF8B7E0882E
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E0884D
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E08863
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B7E0887F
PyLong_FromLong.PYTHON313 ref: 00007FF8B7E08887
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E088A6
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E088BC
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B7E088D8
PyLong_FromLong.PYTHON313 ref: 00007FF8B7E088E0
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E088FF
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E08915
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B7E08931
PyLong_FromLong.PYTHON313 ref: 00007FF8B7E08939
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E08958
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0896E
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B7E0898A
PyLong_FromLong.PYTHON313 ref: 00007FF8B7E08992
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E089B1
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E089C7
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B7E089E3
PyLong_FromLong.PYTHON313 ref: 00007FF8B7E089EB
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E08A0A
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E08A20
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B7E08A3C
PyLong_FromLong.PYTHON313 ref: 00007FF8B7E08A44
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E08A63
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E08A79
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B7E08A95
PyLong_FromLong.PYTHON313 ref: 00007FF8B7E08A9D
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E08ABC
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E08AD2
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B7E08AEE
PyLong_FromLong.PYTHON313 ref: 00007FF8B7E08AF6
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E08B15
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E08B2B
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B7E08B43
PyLong_FromLong.PYTHON313 ref: 00007FF8B7E08B4B
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E08B66
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E08B7C
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E08B99

Strings

cache_full, xrefs: 00007FF8B7E08B5C
number, xrefs: 00007FF8B7E08791
accept, xrefs: 00007FF8B7E088F5, 00007FF8B7E08A00
timeouts, xrefs: 00007FF8B7E08B0B
misses, xrefs: 00007FF8B7E08AB2
connect, xrefs: 00007FF8B7E087EA
hits, xrefs: 00007FF8B7E08A59
accept_good, xrefs: 00007FF8B7E0894E
connect_renegotiate, xrefs: 00007FF8B7E0889C
connect_good, xrefs: 00007FF8B7E08843
accept_renegotiate, xrefs: 00007FF8B7E089A7

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: DeallocDict_$FromItemLongLong_StringX_ctrl
String ID: accept$accept_good$accept_renegotiate$cache_full$connect$connect_good$connect_renegotiate$hits$misses$number$timeouts
API String ID: 3804526530-4076585280
Opcode ID: 826cc633f0df1c29b54c58aed192b4fcd1af314ebf4e90206c7a0cc2b7cb7904
Instruction ID: 3b6fcda09fe710aabbd11e39ccc4f53d7b4399e9079bd7b61a08a62016da25db
Opcode Fuzzy Hash: 826cc633f0df1c29b54c58aed192b4fcd1af314ebf4e90206c7a0cc2b7cb7904
Instruction Fuzzy Hash: 64D15E35A08B4786EA146F39E99A63D33A1AF59FD1B080834CB0E57B70EF3CA414C740

Function 00007FF8B7E054E8 Relevance: 103.6, APIs: 48, Strings: 11, Instructions: 317COMMON

Download Yara Rule

APIs

PyDict_New.PYTHON313 ref: 00007FF8B7E05513
X509_get_subject_name.LIBCRYPTO-3 ref: 00007FF8B7E0552B

Part of subcall function 00007FF8B7E05194: X509_NAME_entry_count.LIBCRYPTO-3 ref: 00007FF8B7E051B8
Part of subcall function 00007FF8B7E05194: PyList_New.PYTHON313 ref: 00007FF8B7E051C7
Part of subcall function 00007FF8B7E05194: PyList_New.PYTHON313 ref: 00007FF8B7E051DB
Part of subcall function 00007FF8B7E05194: X509_NAME_get_entry.LIBCRYPTO-3 ref: 00007FF8B7E051FD
Part of subcall function 00007FF8B7E05194: X509_NAME_ENTRY_set.LIBCRYPTO-3 ref: 00007FF8B7E0520E
Part of subcall function 00007FF8B7E05194: PyList_AsTuple.PYTHON313 ref: 00007FF8B7E0521C
Part of subcall function 00007FF8B7E05194: _Py_Dealloc.PYTHON313 ref: 00007FF8B7E05233
Part of subcall function 00007FF8B7E05194: PyList_Append.PYTHON313 ref: 00007FF8B7E05248
Part of subcall function 00007FF8B7E05194: _Py_Dealloc.PYTHON313 ref: 00007FF8B7E0525E
Part of subcall function 00007FF8B7E05194: PyList_New.PYTHON313 ref: 00007FF8B7E0526E
Part of subcall function 00007FF8B7E05194: X509_NAME_ENTRY_set.LIBCRYPTO-3 ref: 00007FF8B7E05283
Part of subcall function 00007FF8B7E05194: X509_NAME_ENTRY_get_object.LIBCRYPTO-3 ref: 00007FF8B7E0528F
Part of subcall function 00007FF8B7E05194: X509_NAME_ENTRY_get_data.LIBCRYPTO-3 ref: 00007FF8B7E0529B
Part of subcall function 00007FF8B7E05194: PyList_Append.PYTHON313 ref: 00007FF8B7E052C3
Part of subcall function 00007FF8B7E05194: _Py_Dealloc.PYTHON313 ref: 00007FF8B7E052DA

PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E05555
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E05575
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0558E
X509_get_issuer_name.LIBCRYPTO-3 ref: 00007FF8B7E05597
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E055C1
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E055D9
X509_get_version.LIBCRYPTO-3 ref: 00007FF8B7E055E2
PyLong_FromLong.PYTHON313 ref: 00007FF8B7E055EB
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E0560A
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E05626
BIO_s_mem.LIBCRYPTO-3 ref: 00007FF8B7E0562C
BIO_new.LIBCRYPTO-3 ref: 00007FF8B7E05635
PyErr_SetString.PYTHON313 ref: 00007FF8B7E0564E
BIO_free.LIBCRYPTO-3 ref: 00007FF8B7E056AE
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E056C2
PyUnicode_FromStringAndSize.PYTHON313 ref: 00007FF8B7E056F9
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E05714
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0572C
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E05745
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B7E05758
X509_get0_notBefore.LIBCRYPTO-3 ref: 00007FF8B7E05761
ASN1_TIME_print.LIBCRYPTO-3 ref: 00007FF8B7E0576D
BIO_gets.LIBCRYPTO-3 ref: 00007FF8B7E05781
PyUnicode_FromStringAndSize.PYTHON313 ref: 00007FF8B7E057A0
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E057BF
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E057DB
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B7E057EE
X509_get0_notAfter.LIBCRYPTO-3 ref: 00007FF8B7E057F7
ASN1_TIME_print.LIBCRYPTO-3 ref: 00007FF8B7E05803
BIO_gets.LIBCRYPTO-3 ref: 00007FF8B7E05817
PyUnicode_FromStringAndSize.PYTHON313 ref: 00007FF8B7E05836
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E05855
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E05871
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E058A4
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E058C0
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E058F5
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0590B
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E05948
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0595E
PyDict_SetItemString.PYTHON313 ref: 00007FF8B7E05996
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E059AC
BIO_free.LIBCRYPTO-3 ref: 00007FF8B7E059BD

Strings

notAfter, xrefs: 00007FF8B7E0584B
caIssuers, xrefs: 00007FF8B7E0593E
OCSP, xrefs: 00007FF8B7E058EB
serialNumber, xrefs: 00007FF8B7E0570A
version, xrefs: 00007FF8B7E05600
failed to allocate BIO, xrefs: 00007FF8B7E05647
crlDistributionPoints, xrefs: 00007FF8B7E0598C
issuer, xrefs: 00007FF8B7E055B7
subjectAltName, xrefs: 00007FF8B7E0589A
subject, xrefs: 00007FF8B7E0554B
notBefore, xrefs: 00007FF8B7E057B5

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Dealloc$String$Dict_$Item$List_X509_$From$SizeUnicode_$AppendE_printO_ctrlO_freeO_getsX509_get0_notY_set$AfterBeforeE_entry_countE_get_entryErr_LongLong_O_newO_s_memTupleX509_get_issuer_nameX509_get_subject_nameX509_get_versionY_get_dataY_get_object
String ID: OCSP$caIssuers$crlDistributionPoints$failed to allocate BIO$issuer$notAfter$notBefore$serialNumber$subject$subjectAltName$version
API String ID: 3001048694-857226466
Opcode ID: 7d8b63fe9be73e18170206c76e7653fd3a226d4d373d93a25b0f0e12459162be
Instruction ID: 4d252ac7cd8dc8937fd94320dc46c2fd39c255b40b8598f73dde76fab27db0a5
Opcode Fuzzy Hash: 7d8b63fe9be73e18170206c76e7653fd3a226d4d373d93a25b0f0e12459162be
Instruction Fuzzy Hash: A5D15D35E09B4386FA64AB2DAA5667D23A1AF45FD1F484434CF0E0A7B0EF3DE5548700

Function 00007FF8B7E05CBC Relevance: 98.4, APIs: 43, Strings: 13, Instructions: 364stringCOMMON

Download Yara Rule

APIs

BIO_s_mem.LIBCRYPTO-3 ref: 00007FF8B7E05D02
BIO_new.LIBCRYPTO-3 ref: 00007FF8B7E05D0B
PyErr_SetString.PYTHON313 ref: 00007FF8B7E05D24
X509_get_ext_d2i.LIBCRYPTO-3 ref: 00007FF8B7E05D3E
PyList_New.PYTHON313 ref: 00007FF8B7E05D5B
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B7E05D76
OPENSSL_sk_value.LIBCRYPTO-3 ref: 00007FF8B7E05D91
PyErr_WarnFormat.PYTHON313 ref: 00007FF8B7E05DFE
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B7E05E1A
GENERAL_NAME_print.LIBCRYPTO-3 ref: 00007FF8B7E05E26
BIO_gets.LIBCRYPTO-3 ref: 00007FF8B7E05E3A
strchr.VCRUNTIME140 ref: 00007FF8B7E05E55
PyTuple_New.PYTHON313 ref: 00007FF8B7E05E6A
PyUnicode_FromStringAndSize.PYTHON313 ref: 00007FF8B7E05E8C
PyUnicode_FromStringAndSize.PYTHON313 ref: 00007FF8B7E05EAA

Strings

Registered ID, xrefs: 00007FF8B7E05ED9
<invalid>, xrefs: 00007FF8B7E06048
<INVALID>, xrefs: 00007FF8B7E05F12
failed to allocate BIO, xrefs: 00007FF8B7E05D1D
DirName, xrefs: 00007FF8B7E06069
Unknown general name type %d, xrefs: 00007FF8B7E05DEE
IP Address, xrefs: 00007FF8B7E05F55
email, xrefs: 00007FF8B7E060CC
DNS, xrefs: 00007FF8B7E060C3
%X:%X:%X:%X:%X:%X:%X:%X, xrefs: 00007FF8B7E06036
%d.%d.%d.%d, xrefs: 00007FF8B7E05F91
Invalid value %.200s, xrefs: 00007FF8B7E061BD
URI, xrefs: 00007FF8B7E060BA

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: String$Err_FromSizeUnicode_$E_printFormatL_sk_numL_sk_valueList_O_ctrlO_getsO_newO_s_memTuple_WarnX509_get_ext_d2istrchr
String ID: %X:%X:%X:%X:%X:%X:%X:%X$%d.%d.%d.%d$<INVALID>$<invalid>$DNS$DirName$IP Address$Invalid value %.200s$Registered ID$URI$Unknown general name type %d$email$failed to allocate BIO
API String ID: 359532264-4109427827
Opcode ID: 3a8733b9f8724a0ad4dac92debb2868cdbdf7ad001dd02e936b03acc83697b27
Instruction ID: 1df2ac7743d618797323d15357657da2aaf5de49a35a3075b4a307432b36b8e6
Opcode Fuzzy Hash: 3a8733b9f8724a0ad4dac92debb2868cdbdf7ad001dd02e936b03acc83697b27
Instruction Fuzzy Hash: 59F17C22A0D78286FA699B29E81A63D67A1FF84FC1F448435DB5E467B0EF3CE554C700

Function 00007FF8A92FBAE0 Relevance: 79.0, APIs: 43, Strings: 2, Instructions: 248COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBB45
ERR_set_debug.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBB5D
ERR_set_error.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBB6C
OPENSSL_sk_num.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBB8C
OPENSSL_sk_value.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBB9A
OPENSSL_sk_num.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBBC6
X509_get_pubkey.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBBDA
ERR_new.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBC10
ERR_set_debug.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBC28
ERR_set_error.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBC3A
ERR_new.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBC44
ERR_set_debug.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBC5C
ERR_set_error.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBC6C
EVP_PKEY_missing_parameters.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBC79
EVP_PKEY_missing_parameters.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBC89
ERR_new.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBC92
ERR_set_debug.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBCAA
ERR_set_error.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBCBC
EVP_PKEY_copy_parameters.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBCCC
ERR_new.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBCD9
ERR_set_debug.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBCF1
ERR_set_error.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBD03
ERR_new.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBD6D
ERR_set_debug.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBD85
ERR_set_error.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBD97
EVP_PKEY_free.LIBCRYPTO-3(?,?,?,?,?,?,?,00007FF8A92FAD97), ref: 00007FF8A92FBF09

Strings

ssl_set_cert_and_key, xrefs: 00007FF8A92FBB4A, 00007FF8A92FBC15, 00007FF8A92FBC49, 00007FF8A92FBC97, 00007FF8A92FBCDE, 00007FF8A92FBD2A, 00007FF8A92FBD72, 00007FF8A92FBDD6, 00007FF8A92FBE21
..\s\ssl\ssl_rsa.c, xrefs: 00007FF8A92FBB56, 00007FF8A92FBC21, 00007FF8A92FBC55, 00007FF8A92FBCA3, 00007FF8A92FBCEA, 00007FF8A92FBD36, 00007FF8A92FBD7E, 00007FF8A92FBDE2, 00007FF8A92FBE2D

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debugR_set_error$L_sk_numY_missing_parameters$L_sk_valueX509_get_pubkeyY_copy_parametersY_free
String ID: ..\s\ssl\ssl_rsa.c$ssl_set_cert_and_key
API String ID: 1144767644-2212061476
Opcode ID: 98934eb0e37644b695323444fb888ea62c60c2817b7fa0d64fdb826606ac33c7
Instruction ID: b28f176864fadd8d56acb3c3abf750537f084af1d85fcf15a506ec7b2144bac1
Opcode Fuzzy Hash: 98934eb0e37644b695323444fb888ea62c60c2817b7fa0d64fdb826606ac33c7
Instruction Fuzzy Hash: 81B19E61A0EEC2A1FA50AF15E4516BA53A4EFC5BC4F812031DA6EC7BDADE3CF5018701

Function 00007FF8A92D1ACD Relevance: 59.9, APIs: 32, Strings: 2, Instructions: 405COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A934C554
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A934C56C
CRYPTO_zalloc.LIBCRYPTO-3 ref: 00007FF8A934C5D3
ERR_new.LIBCRYPTO-3 ref: 00007FF8A934C5E0
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A934C5F8
ERR_new.LIBCRYPTO-3 ref: 00007FF8A934C666
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A934C67E
ERR_new.LIBCRYPTO-3 ref: 00007FF8A934C6B2
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A934C6CA
ERR_new.LIBCRYPTO-3 ref: 00007FF8A934C791
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A934C7A9
memcpy.VCRUNTIME140 ref: 00007FF8A934C843
memcpy.VCRUNTIME140 ref: 00007FF8A934C874
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A934CB88
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A934CB9D

Strings

..\s\ssl\statem\statem_srvr.c, xrefs: 00007FF8A934C565, 00007FF8A934C5C7, 00007FF8A934C5F1, 00007FF8A934C677, 00007FF8A934C6C3, 00007FF8A934C7A2, 00007FF8A934C8E9, 00007FF8A934CA2F, 00007FF8A934CA59, 00007FF8A934CB52, 00007FF8A934CB7B, 00007FF8A934CB93
tls_process_client_hello, xrefs: 00007FF8A934C559, 00007FF8A934C5E5, 00007FF8A934C66B, 00007FF8A934C6BC, 00007FF8A934C796, 00007FF8A934C8E2, 00007FF8A934CA52, 00007FF8A934CB46

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug$O_freememcpy$O_zalloc
String ID: ..\s\ssl\statem\statem_srvr.c$tls_process_client_hello
API String ID: 2132817427-1456301196
Opcode ID: b7b431a32e8799e04d9617049d5c08355a00ec7b274f06d4906128766a73c47b
Instruction ID: 081a8d447b4c7ef805e098ccc3d1fa91eb6f42b239947ffbf54681c7077fa669
Opcode Fuzzy Hash: b7b431a32e8799e04d9617049d5c08355a00ec7b274f06d4906128766a73c47b
Instruction Fuzzy Hash: ED02D521A0EEC2A1FB249F21D4502BE73B0EB81BC5F45A131DA5E87A96DF3CE495C701

Function 00007FF8A92D1992 Relevance: 58.0, APIs: 31, Strings: 2, Instructions: 255COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A92ED51F
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92ED537
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92ED549
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92ED577
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92ED58F
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92ED5A1
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92ED5A6
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92ED5BE
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92ED5D0
CRYPTO_zalloc.LIBCRYPTO-3 ref: 00007FF8A92ED609
CRYPTO_THREAD_lock_new.LIBCRYPTO-3 ref: 00007FF8A92ED620
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92ED631
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92ED649
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92ED65B
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A92ED670
CRYPTO_strdup.LIBCRYPTO-3 ref: 00007FF8A92ED692
OPENSSL_LH_new.LIBCRYPTO-3 ref: 00007FF8A92ED709
X509_STORE_new.LIBCRYPTO-3 ref: 00007FF8A92ED71B
CTLOG_STORE_new_ex.LIBCRYPTO-3 ref: 00007FF8A92ED733
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8A92ED7C7
X509_VERIFY_PARAM_new.LIBCRYPTO-3 ref: 00007FF8A92ED7D4
OPENSSL_sk_new_null.LIBCRYPTO-3 ref: 00007FF8A92ED817
OPENSSL_sk_new_null.LIBCRYPTO-3 ref: 00007FF8A92ED82C
CRYPTO_new_ex_data.LIBCRYPTO-3 ref: 00007FF8A92ED850
CRYPTO_secure_zalloc.LIBCRYPTO-3 ref: 00007FF8A92ED86F
RAND_bytes_ex.LIBCRYPTO-3 ref: 00007FF8A92ED8C6
RAND_priv_bytes_ex.LIBCRYPTO-3 ref: 00007FF8A92ED8E2
RAND_priv_bytes_ex.LIBCRYPTO-3 ref: 00007FF8A92ED902
RAND_priv_bytes_ex.LIBCRYPTO-3 ref: 00007FF8A92ED929
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92ED987
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92ED99F

Strings

SSL_CTX_new_ex, xrefs: 00007FF8A92ED524, 00007FF8A92ED57C, 00007FF8A92ED5AB, 00007FF8A92ED636, 00007FF8A92ED98C
..\s\ssl\ssl_lib.c, xrefs: 00007FF8A92ED530, 00007FF8A92ED588, 00007FF8A92ED5B7, 00007FF8A92ED5FD, 00007FF8A92ED642, 00007FF8A92ED666, 00007FF8A92ED688, 00007FF8A92ED863, 00007FF8A92ED998

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug$R_set_error$D_priv_bytes_ex$L_sk_new_nullX509_$D_bytes_exD_lock_newE_newE_new_exH_newL_sk_numM_newO_freeO_new_ex_dataO_secure_zallocO_strdupO_zalloc
String ID: ..\s\ssl\ssl_lib.c$SSL_CTX_new_ex
API String ID: 864562269-27091654
Opcode ID: 622b0d34e4c643188c55506cc675c59f830dab8c57d129825d48ecde5a8aaa8c
Instruction ID: 57677546c8c045bb767fd488d18cc118c9dd46a1d5fe35473831f105912d07cb
Opcode Fuzzy Hash: 622b0d34e4c643188c55506cc675c59f830dab8c57d129825d48ecde5a8aaa8c
Instruction Fuzzy Hash: 2CB16261A0EBC261FB55AF2594517F926E5EF85BC8F441035DE6C8A7CAEF3CE4048710

Function 00007FF8B7E0BF74 Relevance: 56.2, APIs: 29, Strings: 3, Instructions: 219threadCOMMON

Download Yara Rule

APIs

_PyObject_GC_New.PYTHON313(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C012
ERR_clear_error.LIBCRYPTO-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C055
PyEval_SaveThread.PYTHON313(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C05B
SSL_new.LIBSSL-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C067
PyEval_RestoreThread.PYTHON313(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C074
_Py_Dealloc.PYTHON313(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C091
SSL_set_session_id_context.LIBSSL-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C0C1
SSL_get0_param.LIBSSL-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C0CB
X509_VERIFY_PARAM_set_hostflags.LIBCRYPTO-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C0D8
SSL_set_ex_data.LIBSSL-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C0E7
SSL_set_fd.LIBSSL-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C0FA
BIO_up_ref.LIBCRYPTO-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C10E
BIO_up_ref.LIBCRYPTO-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C120
SSL_set_bio.LIBSSL-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C132
SSL_ctrl.LIBSSL-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C14C
SSL_get_verify_mode.LIBSSL-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C160
SSL_set_verify.LIBSSL-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C177
SSL_set_post_handshake_auth.LIBSSL-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C181
SSL_get_rbio.LIBSSL-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C1AE
BIO_ctrl.LIBCRYPTO-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C1C3
SSL_get_wbio.LIBSSL-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C1CD
BIO_ctrl.LIBCRYPTO-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C1DE
PyEval_SaveThread.PYTHON313(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C1E4
SSL_set_connect_state.LIBSSL-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C1F5
SSL_set_accept_state.LIBSSL-3(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C1FD
PyEval_RestoreThread.PYTHON313(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C206
PyWeakref_NewRef.PYTHON313(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C219
_Py_Dealloc.PYTHON313(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C267
PyObject_GC_Track.PYTHON313(?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0C29E

Strings

Python, xrefs: 00007FF8B7E0C0BA
Cannot create a client socket with a PROTOCOL_TLS_SERVER context, xrefs: 00007FF8B7E0C001
Cannot create a server socket with a PROTOCOL_TLS_CLIENT context, xrefs: 00007FF8B7E0BFBC

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Eval_Thread$DeallocO_ctrlO_up_refObject_RestoreSave$L_ctrlL_get0_paramL_get_rbioL_get_verify_modeL_get_wbioL_newL_set_accept_stateL_set_bioL_set_connect_stateL_set_ex_dataL_set_fdL_set_post_handshake_authL_set_session_id_contextL_set_verifyM_set_hostflagsR_clear_errorTrackWeakref_X509_
String ID: Cannot create a client socket with a PROTOCOL_TLS_SERVER context$Cannot create a server socket with a PROTOCOL_TLS_CLIENT context$Python
API String ID: 2682668916-1888807747
Opcode ID: cd1b8ea646ef9afa8d9b55c550e8d37b12c63986d5a7a861df86a7bcf2bbbd8b
Instruction ID: 4238a061624542988e3bb21a29383712b5b77285debaf5515a33fe65b3242479
Opcode Fuzzy Hash: cd1b8ea646ef9afa8d9b55c550e8d37b12c63986d5a7a861df86a7bcf2bbbd8b
Instruction Fuzzy Hash: 23A12836A08B4286EA64AF6AA84657E73A1FF85FC4B144536CB4E43BB0DF3CE4558700

Function 00007FF8A92E7A60 Relevance: 51.6, APIs: 25, Strings: 4, Instructions: 878COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A92E5880: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A92E58B8
Part of subcall function 00007FF8A92E5880: ERR_new.LIBCRYPTO-3 ref: 00007FF8A92E5984
Part of subcall function 00007FF8A92E5880: ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92E599C
Part of subcall function 00007FF8A92E5880: ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92E59AE

CRYPTO_malloc.LIBCRYPTO-3 ref: 00007FF8A92E7B47
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92E7B59
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92E7B71
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92E7B83

Strings

DEFAULT, xrefs: 00007FF8A92E843C
ssl_create_cipher_list, xrefs: 00007FF8A92E7B5E, 00007FF8A92E834D
..\s\ssl\ssl_ciph.c, xrefs: 00007FF8A92E7B3C, 00007FF8A92E7B6A, 00007FF8A92E80DE, 00007FF8A92E8310, 00007FF8A92E8339, 00007FF8A92E8359, 00007FF8A92E84D9, 00007FF8A92E84F3, 00007FF8A92E851C, 00007FF8A92E85D4, 00007FF8A92E8641
ALL:!COMPLEMENTOFDEFAULT:!eNULL, xrefs: 00007FF8A92E848E

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debugR_set_error$O_mallocstrncmp
String ID: ..\s\ssl\ssl_ciph.c$ALL:!COMPLEMENTOFDEFAULT:!eNULL$DEFAULT$ssl_create_cipher_list
API String ID: 3221604530-3764566645
Opcode ID: 2c8612b8f3e81b87dc4b7a10abd650f3f1b62cbe164aa049c20ddaaee241ab4e
Instruction ID: 62a226216c52c322446bf6694237cbbe30fda41319150a3a95b4ee56d7b79c85
Opcode Fuzzy Hash: 2c8612b8f3e81b87dc4b7a10abd650f3f1b62cbe164aa049c20ddaaee241ab4e
Instruction Fuzzy Hash: C4826D72A0EB8691EE58CF49E4806793BA4FB44BC4F644435DA6D8B798EF3DD941C340

Function 00007FF8A92D1AD7 Relevance: 44.1, APIs: 23, Strings: 2, Instructions: 341COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A9313F97
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9313FAF
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9314003
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A931401B

Strings

..\s\ssl\record\rec_layer_d1.c, xrefs: 00007FF8A9313FA8, 00007FF8A9314014, 00007FF8A9314096, 00007FF8A9314160, 00007FF8A93141F8, 00007FF8A9314283, 00007FF8A9314329, 00007FF8A931439E
do_dtls1_write, xrefs: 00007FF8A9313F9C, 00007FF8A9314008, 00007FF8A931408A, 00007FF8A9314154, 00007FF8A93141EC, 00007FF8A9314277, 00007FF8A931431D, 00007FF8A9314392

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ..\s\ssl\record\rec_layer_d1.c$do_dtls1_write
API String ID: 193678381-4025505965
Opcode ID: 93d405ad9e0d97f1643dc7107726b8fa344818bac274d992b6a1291d315b9429
Instruction ID: 08f308e21a10f8151f3036a3c7c1068a12c870bea2c39a2ff7a6c71324fbb466
Opcode Fuzzy Hash: 93d405ad9e0d97f1643dc7107726b8fa344818bac274d992b6a1291d315b9429
Instruction Fuzzy Hash: 44F17C21B0EEC2A5EB149F65E8507AE23B0EB847C8F245136DE5D97B99EF3CE4058700

Function 00007FF8A9319A60 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 254COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A9319ACD
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9319AE5
EVP_MD_CTX_get0_md.LIBCRYPTO-3 ref: 00007FF8A9319B1B
EVP_MD_get_size.LIBCRYPTO-3 ref: 00007FF8A9319B28
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9319B32
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9319B4A

Strings

dtls1_process_record, xrefs: 00007FF8A9319AD2, 00007FF8A9319B37, 00007FF8A9319B9F, 00007FF8A9319C7A, 00007FF8A9319D60, 00007FF8A9319DA7, 00007FF8A9319E07
..\s\ssl\record\ssl3_record.c, xrefs: 00007FF8A9319ADE, 00007FF8A9319B43, 00007FF8A9319BAB, 00007FF8A9319C86, 00007FF8A9319D6C, 00007FF8A9319DB3, 00007FF8A9319E13, 00007FF8A9319E5E

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug$D_get_sizeX_get0_md
String ID: ..\s\ssl\record\ssl3_record.c$dtls1_process_record
API String ID: 1548276727-2476007939
Opcode ID: 1ac2ab208d615dadeea81b34699c31ff200896186322b9a966a1b22f8ea5ee1e
Instruction ID: 89c2f164baa3f219b674e20439a1b4d51f1506ce70c219c5c650f2bb17e2dec1
Opcode Fuzzy Hash: 1ac2ab208d615dadeea81b34699c31ff200896186322b9a966a1b22f8ea5ee1e
Instruction Fuzzy Hash: DFB1A321A0EEC2A1FB54AF11E8407BA62B4EF85BC4F546031DA5EC7A95EF3CE4518710

Function 00007FF8A92D1A23 Relevance: 43.9, APIs: 23, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

BN_dup.LIBCRYPTO-3 ref: 00007FF8A93132B6
BN_dup.LIBCRYPTO-3 ref: 00007FF8A93132D7
BN_dup.LIBCRYPTO-3 ref: 00007FF8A93132F8
BN_dup.LIBCRYPTO-3 ref: 00007FF8A9313319
BN_dup.LIBCRYPTO-3 ref: 00007FF8A9313336
BN_dup.LIBCRYPTO-3 ref: 00007FF8A9313353
BN_dup.LIBCRYPTO-3 ref: 00007FF8A9313370
BN_dup.LIBCRYPTO-3 ref: 00007FF8A931338D
CRYPTO_strdup.LIBCRYPTO-3 ref: 00007FF8A93133CA
CRYPTO_strdup.LIBCRYPTO-3 ref: 00007FF8A9313409
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9313428
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A931343D
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A931344C
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A9313461
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A931347A
BN_free.LIBCRYPTO-3 ref: 00007FF8A9313486
BN_free.LIBCRYPTO-3 ref: 00007FF8A9313492
BN_free.LIBCRYPTO-3 ref: 00007FF8A931349E
BN_free.LIBCRYPTO-3 ref: 00007FF8A93134AA
BN_free.LIBCRYPTO-3 ref: 00007FF8A93134B6
BN_free.LIBCRYPTO-3 ref: 00007FF8A93134C2
BN_free.LIBCRYPTO-3 ref: 00007FF8A93134CE
BN_free.LIBCRYPTO-3 ref: 00007FF8A93134DA

Strings

..\s\ssl\tls_srp.c, xrefs: 00007FF8A93133C3, 00007FF8A9313402, 00007FF8A9313436, 00007FF8A9313454, 00007FF8A931346D
ssl_srp_ctx_init_intern, xrefs: 00007FF8A931342D

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: N_dupN_free$O_freeO_strdup$R_newR_set_debugR_set_error
String ID: ..\s\ssl\tls_srp.c$ssl_srp_ctx_init_intern
API String ID: 2354240759-1794268454
Opcode ID: 7c6f5f71629c738828d3fb28ae6d14af1525a41dda9b56dd32a690e7e5b3c519
Instruction ID: 81cd737ba35c34b874542a1e718f2d6241412975a62b6309424970991c9f703b
Opcode Fuzzy Hash: 7c6f5f71629c738828d3fb28ae6d14af1525a41dda9b56dd32a690e7e5b3c519
Instruction Fuzzy Hash: 33916322A1FFC291FB85DF25D4503B833B0EF85B88F186635DA5D8B656EF28E5918310

Function 00007FF8A92D1AB4 Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 290COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A9336C83
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A9336CAA
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A9336DDB
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9336DF0
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9336E08
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A9336EC8
CRYPTO_memdup.LIBCRYPTO-3 ref: 00007FF8A9336EF3
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9336F90
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9336FA8
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9336FBD
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9336FD5
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9336FF6
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A933700E

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A9336C76, 00007FF8A9336C8F, 00007FF8A9336DCE, 00007FF8A9336E01, 00007FF8A9336E21, 00007FF8A9336E49, 00007FF8A9336FA1, 00007FF8A9336FCE, 00007FF8A9337007, 00007FF8A93370A9
D:\a\1\s\include\internal/packet.h, xrefs: 00007FF8A9336EB7, 00007FF8A9336EE6
tls_process_certificate_request, xrefs: 00007FF8A9336DF5, 00007FF8A9336E3D, 00007FF8A9336F95, 00007FF8A9336FC2, 00007FF8A9336FFB, 00007FF8A93370A2

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_freeR_newR_set_debug$O_memdup
String ID: ..\s\ssl\statem\statem_clnt.c$D:\a\1\s\include\internal/packet.h$tls_process_certificate_request
API String ID: 1088637640-3868612116
Opcode ID: a64704fb852c6d695dd9b290c85d08fc80d0e91c457f77e87556fae9689ea5c8
Instruction ID: c7fd2a3c4ff976dfa0f9403b0522152ea56e95c41736bb62589474a6d4946a4d
Opcode Fuzzy Hash: a64704fb852c6d695dd9b290c85d08fc80d0e91c457f77e87556fae9689ea5c8
Instruction Fuzzy Hash: 3DD19021A0EEC2A5FB109F61D9416BE73B4EB447C8F446139DE9D97A9ADF3CE1818700

Function 00007FF8A92D1A05 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 283COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A92E0ABD
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92E0AD5
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92E0AE7
ASN1_item_free.LIBCRYPTO-3 ref: 00007FF8A92E0AF6
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92E0B42
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92E0B5A
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92E0B83
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92E0B9B
memcpy.VCRUNTIME140 ref: 00007FF8A92E0C05
memcpy.VCRUNTIME140 ref: 00007FF8A92E0C3F
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A92E0C5B
X509_free.LIBCRYPTO-3 ref: 00007FF8A92E0C8E
memcpy.VCRUNTIME140 ref: 00007FF8A92E0CC9
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A92E0D57
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92E0D9D
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92E0DB5

Part of subcall function 00007FF8A92E1620: CRYPTO_free.LIBCRYPTO-3(00000000,00007FF8A92E0CF6), ref: 00007FF8A92E164E
Part of subcall function 00007FF8A92E1620: CRYPTO_strndup.LIBCRYPTO-3(00000000,00007FF8A92E0CF6), ref: 00007FF8A92E1671

CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A92E0E20
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A92E0E89
ASN1_item_free.LIBCRYPTO-3 ref: 00007FF8A92E0EDB

Strings

d2i_SSL_SESSION, xrefs: 00007FF8A92E0AC2, 00007FF8A92E0B47, 00007FF8A92E0B88, 00007FF8A92E0DA2
..\s\ssl\ssl_asn1.c, xrefs: 00007FF8A92E0ACE, 00007FF8A92E0B53, 00007FF8A92E0B94, 00007FF8A92E0D34, 00007FF8A92E0DAE, 00007FF8A92E0DFA, 00007FF8A92E0E6F

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_freeR_newR_set_debug$memcpy$N1_item_free$O_strndupR_set_errorX509_free_time64
String ID: ..\s\ssl\ssl_asn1.c$d2i_SSL_SESSION
API String ID: 1562032665-384499812
Opcode ID: 2a5271567f02ba352d921ff3c4e2fac1e9ecca7785b90009fd4beffc7ef3d7b0
Instruction ID: f23b0a9202cc2991d8efdf23b5b0a81fdb77a112d341d2e78be9064c5bfad680
Opcode Fuzzy Hash: 2a5271567f02ba352d921ff3c4e2fac1e9ecca7785b90009fd4beffc7ef3d7b0
Instruction Fuzzy Hash: CAD13B22A0EBC6A6EB54DF29D4902B937A4FB44BC4F485035DE6C87799EF38E452C710

Function 00007FF8A92FFAF0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-3 ref: 00007FF8A92FFB2A
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A92FFC47
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92FFC4F
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92FFC67
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92FFC79
X509_chain_up_ref.LIBCRYPTO-3 ref: 00007FF8A92FFCEE
CRYPTO_strdup.LIBCRYPTO-3 ref: 00007FF8A92FFD1C
CRYPTO_strdup.LIBCRYPTO-3 ref: 00007FF8A92FFD4A
CRYPTO_dup_ex_data.LIBCRYPTO-3 ref: 00007FF8A92FFD72
CRYPTO_strdup.LIBCRYPTO-3 ref: 00007FF8A92FFD98
CRYPTO_memdup.LIBCRYPTO-3 ref: 00007FF8A92FFDD1
CRYPTO_memdup.LIBCRYPTO-3 ref: 00007FF8A92FFE16
CRYPTO_strdup.LIBCRYPTO-3 ref: 00007FF8A92FFE44
CRYPTO_memdup.LIBCRYPTO-3 ref: 00007FF8A92FFE79

Strings

..\s\ssl\ssl_sess.c, xrefs: 00007FF8A92FFB18, 00007FF8A92FFC3D, 00007FF8A92FFC60, 00007FF8A92FFD15, 00007FF8A92FFD43, 00007FF8A92FFD91, 00007FF8A92FFDC4, 00007FF8A92FFE09, 00007FF8A92FFE3D, 00007FF8A92FFE6C
ssl_session_dup_intern, xrefs: 00007FF8A92FFC54

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_strdup$O_memdup$O_dup_ex_dataO_freeO_mallocR_newR_set_debugR_set_errorX509_chain_up_ref
String ID: ..\s\ssl\ssl_sess.c$ssl_session_dup_intern
API String ID: 1631399982-154141013
Opcode ID: 8a303802a0fc650ef06993281d63928a70111a9dd821ad9ab4b6e11d0104b360
Instruction ID: 6091dd55d7b2eb831e1e1d9619f84e621a50afc31121eadd21c03c49f17f4ffa
Opcode Fuzzy Hash: 8a303802a0fc650ef06993281d63928a70111a9dd821ad9ab4b6e11d0104b360
Instruction Fuzzy Hash: 46914C21A0EFD2A2FB59DF2495503F823A8FF84B84F085235DE5C9765ADF78A1A0D310

Function 00007FF8A9333A60 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3(00000000,?,?,?,?,00007FF8A9335A09), ref: 00007FF8A9333A9A
ERR_set_debug.LIBCRYPTO-3(00000000,?,?,?,?,00007FF8A9335A09), ref: 00007FF8A9333AB2
ERR_new.LIBCRYPTO-3(00000000,?,?,?,?,00007FF8A9335A09), ref: 00007FF8A9333AE2
ERR_set_debug.LIBCRYPTO-3(00000000,?,?,?,?,00007FF8A9335A09), ref: 00007FF8A9333AFA
CRYPTO_free.LIBCRYPTO-3(00000000,?,?,?,?,00007FF8A9335A09), ref: 00007FF8A9333C6B
EVP_PKEY_free.LIBCRYPTO-3(00000000,?,?,?,?,00007FF8A9335A09), ref: 00007FF8A9333C73

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A9333AAB, 00007FF8A9333AF3, 00007FF8A9333B59, 00007FF8A9333BD1, 00007FF8A9333C2F, 00007FF8A9333C5E
tls_construct_cke_dhe, xrefs: 00007FF8A9333A9F, 00007FF8A9333AE7, 00007FF8A9333B4D, 00007FF8A9333BC5, 00007FF8A9333C23

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug$O_freeY_free
String ID: ..\s\ssl\statem\statem_clnt.c$tls_construct_cke_dhe
API String ID: 110670684-1216912219
Opcode ID: 051a1a924492b256090ff66b2498ad79ffae82c91303c0472653ceeb5e53cd98
Instruction ID: 919fa8f91e09787d8b3a26469cfb0f187413111a1175a9dca8dd35499a5b3c29
Opcode Fuzzy Hash: 051a1a924492b256090ff66b2498ad79ffae82c91303c0472653ceeb5e53cd98
Instruction Fuzzy Hash: D7519310B0EAC265FA14AF62A8517BA62A1DF84BD4F886035DD1DCBF86CF6CE5018700

Function 00007FF8A92DF910 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A92DF947
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92DF95F
EVP_PKEY_CTX_new_from_pkey.LIBCRYPTO-3 ref: 00007FF8A92DF997
CRYPTO_malloc.LIBCRYPTO-3 ref: 00007FF8A92DF9FB
CRYPTO_malloc.LIBCRYPTO-3 ref: 00007FF8A92DFA15
EVP_PKEY_encapsulate.LIBCRYPTO-3 ref: 00007FF8A92DFA43
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92DFA4C
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92DFAE3
CRYPTO_clear_free.LIBCRYPTO-3 ref: 00007FF8A92DFB13
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A92DFB28
EVP_PKEY_CTX_free.LIBCRYPTO-3 ref: 00007FF8A92DFB30

Strings

..\s\ssl\s3_lib.c, xrefs: 00007FF8A92DF958, 00007FF8A92DF9F4, 00007FF8A92DFA05, 00007FF8A92DFAB7, 00007FF8A92DFADC, 00007FF8A92DFB03, 00007FF8A92DFB1E
ssl_encapsulate, xrefs: 00007FF8A92DF94C, 00007FF8A92DFAAB, 00007FF8A92DFAD5

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_mallocR_newR_set_debug$O_clear_freeO_freeX_freeX_new_from_pkeyY_encapsulate
String ID: ..\s\ssl\s3_lib.c$ssl_encapsulate
API String ID: 1298386825-1554727935
Opcode ID: 7d2137366df9b5140c0c2d70a7ebbf3c49d39393288f3d13ca3b1ef975fbb658
Instruction ID: d7d772315cc7a4348cca55eb136505a2c68058ce4c2abb0f723c2ed1c220bb43
Opcode Fuzzy Hash: 7d2137366df9b5140c0c2d70a7ebbf3c49d39393288f3d13ca3b1ef975fbb658
Instruction Fuzzy Hash: DC51B021A1FED265FA10AF66A4406EA63A5EF84BC0F456032ED5DC7B9ADF3CE5018700

Function 00007FF8A92D1A41 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 154COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A9349A7C
CRYPTO_memdup.LIBCRYPTO-3 ref: 00007FF8A9349A98
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9349AB0
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9349AC8
memcmp.VCRUNTIME140 ref: 00007FF8A9349B2A
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9349B54
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9349B6C
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9349C25
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9349C3D

Strings

..\s\ssl\statem\statem_srvr.c, xrefs: 00007FF8A9349A6F, 00007FF8A9349A86, 00007FF8A9349AC1, 00007FF8A9349B65, 00007FF8A9349B9C, 00007FF8A9349BE0, 00007FF8A9349C36
tls_handle_alpn, xrefs: 00007FF8A9349AB5, 00007FF8A9349B59, 00007FF8A9349BD4, 00007FF8A9349C2A

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug$O_freeO_memdupmemcmp
String ID: ..\s\ssl\statem\statem_srvr.c$tls_handle_alpn
API String ID: 2318126703-2192547331
Opcode ID: 2a335f9234a6a000b262a3c3bb46780e569f3e331573d87d36c018808ba2a67c
Instruction ID: c299b25d00f964f362ef7fcdc5f57803dc8310fd0db163214fca4dd75941a2b8
Opcode Fuzzy Hash: 2a335f9234a6a000b262a3c3bb46780e569f3e331573d87d36c018808ba2a67c
Instruction Fuzzy Hash: 4B61AF61B0EAC2A1E750DF26E4406EE63A4EBC4BC4F495031DE5D8BB99CF7CE5818B00

Function 00007FF8A92D1997 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A92DF433
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92DF44B
EVP_PKEY_CTX_new_from_pkey.LIBCRYPTO-3 ref: 00007FF8A92DF483
CRYPTO_malloc.LIBCRYPTO-3 ref: 00007FF8A92DF4CE
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92DF4DB
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92DF4F3
CRYPTO_clear_free.LIBCRYPTO-3 ref: 00007FF8A92DF5AA
EVP_PKEY_CTX_free.LIBCRYPTO-3 ref: 00007FF8A92DF5B2

Strings

..\s\ssl\s3_lib.c, xrefs: 00007FF8A92DF444, 00007FF8A92DF4C1, 00007FF8A92DF4EC, 00007FF8A92DF573, 00007FF8A92DF59A
ssl_decapsulate, xrefs: 00007FF8A92DF438, 00007FF8A92DF4E0, 00007FF8A92DF56C

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug$O_clear_freeO_mallocX_freeX_new_from_pkey
String ID: ..\s\ssl\s3_lib.c$ssl_decapsulate
API String ID: 263585440-1707435976
Opcode ID: 9ce7302257901976aa7854ea5b6161d8efc4ce6e190b8a2d94d7fd7d9f8e50e3
Instruction ID: ba8a3f2f25cf6a17b6dbd7e3f5f063604459e9d5cb68bcd797acfaf23137524b
Opcode Fuzzy Hash: 9ce7302257901976aa7854ea5b6161d8efc4ce6e190b8a2d94d7fd7d9f8e50e3
Instruction Fuzzy Hash: 34419321A1FAD2A5FA10EF52A4002FA63A5EFC8BD4F455032ED5DC7B9ADE7CE1018740

Function 00007FF8A92D19DD Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

BN_copy.LIBCRYPTO-3 ref: 00007FF8A9312189
BN_free.LIBCRYPTO-3 ref: 00007FF8A931219A
BN_dup.LIBCRYPTO-3 ref: 00007FF8A93121AB
BN_copy.LIBCRYPTO-3 ref: 00007FF8A93121CB
BN_free.LIBCRYPTO-3 ref: 00007FF8A93121DC
BN_dup.LIBCRYPTO-3 ref: 00007FF8A93121ED
BN_copy.LIBCRYPTO-3 ref: 00007FF8A931220D
BN_free.LIBCRYPTO-3 ref: 00007FF8A931221E
BN_dup.LIBCRYPTO-3 ref: 00007FF8A931222F
BN_copy.LIBCRYPTO-3 ref: 00007FF8A9312257
BN_free.LIBCRYPTO-3 ref: 00007FF8A9312268
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A93122A5
CRYPTO_strdup.LIBCRYPTO-3 ref: 00007FF8A93122BA

Strings

..\s\ssl\tls_srp.c, xrefs: 00007FF8A931229E, 00007FF8A93122B0

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: N_copyN_free$N_dup$O_freeO_strdup
String ID: ..\s\ssl\tls_srp.c
API String ID: 3070725730-1778748169
Opcode ID: 5de455a0e33419aeed79645b2a849e8fb5092a76a7a5c4db12254346f5210564
Instruction ID: 27f52fddcc6e74e07d9894b8380e449fa85dc596fb9dd23a0db772dea7221e3f
Opcode Fuzzy Hash: 5de455a0e33419aeed79645b2a849e8fb5092a76a7a5c4db12254346f5210564
Instruction Fuzzy Hash: 53410121A0FEC394FF949F55945077C22B0EF45BC4F299534DE6D8BB99EF28A4128310

Function 00007FF8A934B900 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

BN_bin2bn.LIBCRYPTO-3(?,00007FF8A934CE55), ref: 00007FF8A934B95B
ERR_new.LIBCRYPTO-3(?,00007FF8A934CE55), ref: 00007FF8A934B96C
ERR_set_debug.LIBCRYPTO-3(?,00007FF8A934CE55), ref: 00007FF8A934B984
CRYPTO_free.LIBCRYPTO-3(?,00007FF8A934CE55), ref: 00007FF8A934B9ED
CRYPTO_strdup.LIBCRYPTO-3(?,00007FF8A934CE55), ref: 00007FF8A934BA06
ERR_new.LIBCRYPTO-3 ref: 00007FF8A934BA2A
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A934BA42
ERR_new.LIBCRYPTO-3(?,00007FF8A934CE55), ref: 00007FF8A934BAB7
ERR_set_debug.LIBCRYPTO-3(?,00007FF8A934CE55), ref: 00007FF8A934BACF

Strings

..\s\ssl\statem\statem_srvr.c, xrefs: 00007FF8A934B97D, 00007FF8A934B9D9, 00007FF8A934B9F9, 00007FF8A934BA3B, 00007FF8A934BA8D, 00007FF8A934BAC8
tls_process_cke_srp, xrefs: 00007FF8A934B971, 00007FF8A934BA2F, 00007FF8A934BA81, 00007FF8A934BABC

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug$N_bin2bnO_freeO_strdup
String ID: ..\s\ssl\statem\statem_srvr.c$tls_process_cke_srp
API String ID: 1764459405-322974352
Opcode ID: 9ab32a434e7391ccea9ebfada2f1f20869112ecd896d8b90ffad2ffc498b8485
Instruction ID: 50f9f2e68209ed11f51757372eaa1b69da68ef6c6f7b137e652c23fc55a78d5c
Opcode Fuzzy Hash: 9ab32a434e7391ccea9ebfada2f1f20869112ecd896d8b90ffad2ffc498b8485
Instruction Fuzzy Hash: DE415C21B1EDC361FB44AF21D8517AA12A0EBC5BC5F486031D92DCBA96DE6DE591C700

Function 00007FF8B7E053DC Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B7E02358: OBJ_obj2txt.LIBCRYPTO-3 ref: 00007FF8B7E0239D
Part of subcall function 00007FF8B7E02358: PyUnicode_FromStringAndSize.PYTHON313 ref: 00007FF8B7E023C3

ASN1_STRING_type.LIBCRYPTO-3(?,?,?,?,?,?,00000000,00007FF8B7E052B1), ref: 00007FF8B7E05420
ASN1_STRING_length.LIBCRYPTO-3(?,?,?,?,?,?,00000000,00007FF8B7E052B1), ref: 00007FF8B7E0542E
ASN1_STRING_get0_data.LIBCRYPTO-3(?,?,?,?,?,?,00000000,00007FF8B7E052B1), ref: 00007FF8B7E0543A
Py_BuildValue.PYTHON313(?,?,?,?,?,?,00000000,00007FF8B7E052B1), ref: 00007FF8B7E05450

Part of subcall function 00007FF8B7E06750: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B7E06768
Part of subcall function 00007FF8B7E06750: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E06791

Strings

D:\a\1\s\Modules\_ssl.c, xrefs: 00007FF8B7E054BE
Ns#, xrefs: 00007FF8B7E054A9
Ny#, xrefs: 00007FF8B7E05443

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: BuildFromG_get0_dataG_lengthG_typeJ_obj2txtR_clear_errorR_peek_last_errorSizeStringUnicode_Value
String ID: D:\a\1\s\Modules\_ssl.c$Ns#$Ny#
API String ID: 3688187681-3706530764
Opcode ID: a56e385dd9f82a97b731b3bd318fa4146ccdbce11f56f854f3cbde2209290979
Instruction ID: 8a17a78a39096267346e65dbbe488621121264477d7d382b366e9f7098d44d99
Opcode Fuzzy Hash: a56e385dd9f82a97b731b3bd318fa4146ccdbce11f56f854f3cbde2209290979
Instruction Fuzzy Hash: AE219C61A1CB5282FB509B2AA9466BE6760EF8AFC5F144430DF4E47B75EF3CE1458700

Function 00007FF8A9321970 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A93219B2
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A93219CA
EVP_PKEY_get1_encoded_public_key.LIBCRYPTO-3 ref: 00007FF8A9321A11
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A9321A79
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9321A8F
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9321AA4
EVP_PKEY_free.LIBCRYPTO-3 ref: 00007FF8A9321AC9
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A9321AE0

Strings

add_key_share, xrefs: 00007FF8A93219B7, 00007FF8A9321A94
..\s\ssl\statem\extensions_clnt.c, xrefs: 00007FF8A93219C3, 00007FF8A9321A5E, 00007FF8A9321A9D, 00007FF8A9321AD3

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_freeR_newR_set_debug$Y_freeY_get1_encoded_public_key
String ID: ..\s\ssl\statem\extensions_clnt.c$add_key_share
API String ID: 2306805868-2958431780
Opcode ID: da24bfb5fa59cae7ffda60028d3178918f422636c4ee76efd49326eebfb744eb
Instruction ID: 48694e6ac73117e0a2fabe5df7e2492efce4201d8b93c21b6192f3f0ab635ab1
Opcode Fuzzy Hash: da24bfb5fa59cae7ffda60028d3178918f422636c4ee76efd49326eebfb744eb
Instruction Fuzzy Hash: E941C511B0EEC261FB50AF92E9513BA62B1EF857C4F542031EF4C87B96DE6DE8408740

Function 00007FF8A9312A50 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

SRP_Calc_u_ex.LIBCRYPTO-3 ref: 00007FF8A9312AB4
BN_num_bits.LIBCRYPTO-3 ref: 00007FF8A9312B07
CRYPTO_malloc.LIBCRYPTO-3 ref: 00007FF8A9312B2B
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9312B38
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9312B50
BN_bn2bin.LIBCRYPTO-3 ref: 00007FF8A9312B73
BN_clear_free.LIBCRYPTO-3 ref: 00007FF8A9312B9B
BN_clear_free.LIBCRYPTO-3 ref: 00007FF8A9312BA3

Strings

..\s\ssl\tls_srp.c, xrefs: 00007FF8A9312B1B, 00007FF8A9312B49
srp_generate_server_master_secret, xrefs: 00007FF8A9312B3D

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: N_clear_free$Calc_u_exN_bn2binN_num_bitsO_mallocR_newR_set_debug
String ID: ..\s\ssl\tls_srp.c$srp_generate_server_master_secret
API String ID: 862114558-912242517
Opcode ID: 795a624da099210b56418885e2e806aaeb84cb24bb5429d457c9923ad55d150b
Instruction ID: d7c6d055c8d84bf07b7cebde3c7ec0c70d3dc5275809e7db1711318dc46af381
Opcode Fuzzy Hash: 795a624da099210b56418885e2e806aaeb84cb24bb5429d457c9923ad55d150b
Instruction Fuzzy Hash: EE31616670EEC651EA00AF56E8506F967E0EF89BC4F085031EE5C8BB5ADE3CE1418710

Function 00007FF8A9313A00 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A9313A55
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A9313A6B
OPENSSL_cleanse.LIBCRYPTO-3 ref: 00007FF8A9313ABB
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A9313AD0
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A9313AE6
OPENSSL_cleanse.LIBCRYPTO-3 ref: 00007FF8A9313B3B
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A9313B50
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A9313B66

Strings

..\s\ssl\record\rec_layer_d1.c, xrefs: 00007FF8A9313A44, 00007FF8A9313A5E, 00007FF8A9313AC3, 00007FF8A9313AD9, 00007FF8A9313B43, 00007FF8A9313B59

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_free$L_cleanse
String ID: ..\s\ssl\record\rec_layer_d1.c
API String ID: 927910673-1306860146
Opcode ID: 4383a2249bd7614ca78130ba3bad93e9d6dfd43318451966ae0dd51a2436c3ca
Instruction ID: b4d315be920717228a9b62a67a4bd738b975db88f3ee5562be9eda39d74fbe76
Opcode Fuzzy Hash: 4383a2249bd7614ca78130ba3bad93e9d6dfd43318451966ae0dd51a2436c3ca
Instruction Fuzzy Hash: AB513C62A1EE8691EB14DF12D49027923B0FF85BC4F05A136EE5D87B5AEF68E491C700

Function 00007FF8B7E0339C Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8B7E033B8
memset.VCRUNTIME140 ref: 00007FF8B7E033DC
RtlCaptureContext.KERNEL32 ref: 00007FF8B7E033E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8B7E033FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF8B7E03440
memset.VCRUNTIME140 ref: 00007FF8B7E03473
IsDebuggerPresent.KERNEL32 ref: 00007FF8B7E03494
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8B7E034B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8B7E034BC

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 8e86fcbda8d44a87da12ad3cbe0ff2274eff02410a8037cee209cf92a2e866f6
Instruction ID: c87f7660943b759951fd93476330da2e89e5f432a8ef484db354f34f4107cba0
Opcode Fuzzy Hash: 8e86fcbda8d44a87da12ad3cbe0ff2274eff02410a8037cee209cf92a2e866f6
Instruction Fuzzy Hash: 0C314172609B818AEB649F64E8813EE7365FB84B88F44443ADB4E47BA4DF3CD548C714

Function 00007FF8A92D1A32 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A9325356
CRYPTO_memdup.LIBCRYPTO-3 ref: 00007FF8A9325382
ERR_new.LIBCRYPTO-3 ref: 00007FF8A93253AF
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A93253C7

Strings

tls_parse_stoc_cookie, xrefs: 00007FF8A93253B4
D:\a\1\s\include\internal/packet.h, xrefs: 00007FF8A932534F, 00007FF8A9325376
..\s\ssl\statem\extensions_clnt.c, xrefs: 00007FF8A93253C0

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_freeO_memdupR_newR_set_debug
String ID: ..\s\ssl\statem\extensions_clnt.c$D:\a\1\s\include\internal/packet.h$tls_parse_stoc_cookie
API String ID: 1971062095-124488715
Opcode ID: 52c73c297d9d6a4d5e17c24b51cb1ce1a62e7b45e7fc54423cfa7144330e541b
Instruction ID: ad59c92021c34eacb445b30c54bf7828c3bc7851dcbe7bda35838e21cf1270ea
Opcode Fuzzy Hash: 52c73c297d9d6a4d5e17c24b51cb1ce1a62e7b45e7fc54423cfa7144330e541b
Instruction Fuzzy Hash: 1E21C226B1EAD152E3109F25E4406A963B0FB987C4F546131EB9C87B46DF3CE2A18700

Function 00007FF8A92D195B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-3 ref: 00007FF8A93052DD
EVP_MAC_free.LIBCRYPTO-3 ref: 00007FF8A9305352
EVP_MAC_CTX_free.LIBCRYPTO-3 ref: 00007FF8A930536D
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A930538A

Strings

HMAC, xrefs: 00007FF8A9305328
..\s\ssl\t1_lib.c, xrefs: 00007FF8A93052CB, 00007FF8A9305380

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: C_freeO_freeO_zallocX_free
String ID: ..\s\ssl\t1_lib.c$HMAC
API String ID: 1369405219-2203423191
Opcode ID: 81ac6af754cf77adbd25268fc059c1f4ebb7788d745235d90e99908567356036
Instruction ID: b5b42d80c6091dda20165cf5b452cc63743559c4f781291bf15e8c21252a93dd
Opcode Fuzzy Hash: 81ac6af754cf77adbd25268fc059c1f4ebb7788d745235d90e99908567356036
Instruction Fuzzy Hash: B0216021B0FE8291EE959F57B45027953F0EF84BC0F886075EA5D8BB9ADE6CF4418700

Function 00007FF8A92E4990 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

i2d_X509_NAME.LIBCRYPTO-3 ref: 00007FF8A92E49B7
i2d_X509_NAME.LIBCRYPTO-3 ref: 00007FF8A92E49C7
memcmp.VCRUNTIME140 ref: 00007FF8A92E49EC
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A92E4A0A
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A92E4A21

Strings

..\s\ssl\ssl_cert.c, xrefs: 00007FF8A92E4A00, 00007FF8A92E4A14

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_freeX509_i2d_$memcmp
String ID: ..\s\ssl\ssl_cert.c
API String ID: 1487052844-349359282
Opcode ID: 777fb18747a5d81ff922ad4c58779e9ac14b1738b0b77e584ed02f53f2ca7fed
Instruction ID: d9a11da5522760941988d3b69aca2f1a3022fd430186c002ee5036cab775df95
Opcode Fuzzy Hash: 777fb18747a5d81ff922ad4c58779e9ac14b1738b0b77e584ed02f53f2ca7fed
Instruction Fuzzy Hash: C4016522B0EB8265E610AE1EF48017967B1EBC97D0F556131EA6DC7B8EEE2DE5404700

Function 00007FF8A92D193D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-3 ref: 00007FF8A92D957B
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92D9588
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92D95A0
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92D95B2

Strings

pitem_new, xrefs: 00007FF8A92D958D
..\s\ssl\pqueue.c, xrefs: 00007FF8A92D9569, 00007FF8A92D9599

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_mallocR_newR_set_debugR_set_error
String ID: ..\s\ssl\pqueue.c$pitem_new
API String ID: 2261483606-3588450676
Opcode ID: 3e880f8622c50a99ec68c39aedf3f2896abaa20cf65353c1bfdbd45affacc16b
Instruction ID: dfa3ff4dc445c1949d457d9c26e1c16527988a18ee535d027758639f68564966
Opcode Fuzzy Hash: 3e880f8622c50a99ec68c39aedf3f2896abaa20cf65353c1bfdbd45affacc16b
Instruction Fuzzy Hash: E4018431B1EF82A5F7809F15E5417A962B0EF887C0F546035EA2C87B96EE3CE5448700

Function 00007FF8A931D980 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 200COMMON

Download Yara Rule

APIs

RAND_bytes_ex.LIBCRYPTO-3 ref: 00007FF8A931DA66
CRYPTO_malloc.LIBCRYPTO-3 ref: 00007FF8A931DA89
memset.VCRUNTIME140 ref: 00007FF8A931DAE5

Strings

..\s\ssl\record\tls_pad.c, xrefs: 00007FF8A931DA7F

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: D_bytes_exO_mallocmemset
String ID: ..\s\ssl\record\tls_pad.c
API String ID: 2022753641-3631836059
Opcode ID: bee2ca5132f0abcde2d93b103c21c669f3071435ccd71b5b61a032687e18a4e7
Instruction ID: 845c1eeec8c8ebf34a34382a9b25cecc27109579399dfe44df926e2b658bbd46
Opcode Fuzzy Hash: bee2ca5132f0abcde2d93b103c21c669f3071435ccd71b5b61a032687e18a4e7
Instruction Fuzzy Hash: 8C61D07271DAC956EE21CF21A4207AAA7A1F749BC4F14A231DE9D87B44EE3CD145C700

Function 00007FF8A933BA20 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A933B660: CRYPTO_zalloc.LIBCRYPTO-3(?,00007FF8A933A9B8), ref: 00007FF8A933B69F
Part of subcall function 00007FF8A933B660: ERR_new.LIBCRYPTO-3(?,00007FF8A933A9B8), ref: 00007FF8A933B6AC
Part of subcall function 00007FF8A933B660: ERR_set_debug.LIBCRYPTO-3(?,00007FF8A933A9B8), ref: 00007FF8A933B6C4
Part of subcall function 00007FF8A933B660: ERR_set_error.LIBCRYPTO-3(?,00007FF8A933A9B8), ref: 00007FF8A933B6D6

CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A933BBE0
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A933BBF6
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A933BC0B

Strings

..\s\ssl\statem\statem_dtls.c, xrefs: 00007FF8A933BBD3, 00007FF8A933BBE9, 00007FF8A933BC01

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_free$O_zallocR_newR_set_debugR_set_error
String ID: ..\s\ssl\statem\statem_dtls.c
API String ID: 346603204-3140652063
Opcode ID: e2615d0847c72925f0dc9f39c763b0486645c8fba0a4e5933755259c36e69854
Instruction ID: 2a1ea883c1998ac2f1b55f82cdcb4c6aaea678acbfc100a0c21822b198210350
Opcode Fuzzy Hash: e2615d0847c72925f0dc9f39c763b0486645c8fba0a4e5933755259c36e69854
Instruction Fuzzy Hash: BE619222A0EEC592EB649F25D5402BA67B4FB987C4F446139EF8D87B95DF3CE4908700

Function 00007FF8B7E05124 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

i2d_X509.LIBCRYPTO-3 ref: 00007FF8B7E0513E
PyBytes_FromStringAndSize.PYTHON313 ref: 00007FF8B7E05169
CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8B7E05184

Part of subcall function 00007FF8B7E06750: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B7E06768
Part of subcall function 00007FF8B7E06750: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E06791

Strings

D:\a\1\s\Modules\_ssl.c, xrefs: 00007FF8B7E05174

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Bytes_FromO_freeR_clear_errorR_peek_last_errorSizeStringX509i2d_
String ID: D:\a\1\s\Modules\_ssl.c
API String ID: 2720122973-132925792
Opcode ID: f1e69d5c19cc20e746984a5d3394ec3816bd3301c3b061f6880d99771543e6a1
Instruction ID: 2e6d9c493be4136e420a32186da76c47c51442619ece9c5d6b6504199a4123e3
Opcode Fuzzy Hash: f1e69d5c19cc20e746984a5d3394ec3816bd3301c3b061f6880d99771543e6a1
Instruction Fuzzy Hash: 82F04955B18B4286EF109B6AE80A32EA361AF88FD1F040435DE4E46B74EFBCE0448B00

Function 00007FF8A93289F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A9328A27
CRYPTO_memdup.LIBCRYPTO-3 ref: 00007FF8A9328A50

Strings

D:\a\1\s\include\internal/packet.h, xrefs: 00007FF8A9328A17, 00007FF8A9328A40

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_freeO_memdup
String ID: D:\a\1\s\include\internal/packet.h
API String ID: 3962629258-2521442236
Opcode ID: b37658dcad52b1436dcc0843c4ff8bfc36452bfe40221a3fec933389c799bde5
Instruction ID: a4f07d3d09d64ae927608c442d8084f655393ae9b99c7a60a6f466409ae88076
Opcode Fuzzy Hash: b37658dcad52b1436dcc0843c4ff8bfc36452bfe40221a3fec933389c799bde5
Instruction Fuzzy Hash: 0801EC32B0AFD295EB509F12E8806A967B4EB58BC0F48A431EF9C87B59DF3CD5518700

Function 00007FF8A92D19E7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A9313CA5

Strings

..\s\ssl\record\rec_layer_d1.c, xrefs: 00007FF8A9313C98

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_free
String ID: ..\s\ssl\record\rec_layer_d1.c
API String ID: 2581946324-1306860146
Opcode ID: b29387d7c69eb3cda638c6fce15cdc54d4ed91163fdddcda8e9f9013755f4221
Instruction ID: 0262063440915c26e8327c0507ff2e61d13fe3a5d68e2d6e47640aebdd63dbcf
Opcode Fuzzy Hash: b29387d7c69eb3cda638c6fce15cdc54d4ed91163fdddcda8e9f9013755f4221
Instruction Fuzzy Hash: 9DF0F456A0EA8250FBE0AF16D4513B86328EFC4BC9F541031DE1D8B69ADE69D483D710

Function 00007FF8A92E4930 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CRYPTO_get_ex_new_index.LIBCRYPTO-3 ref: 00007FF8A92E495A

Strings

SSL for verify callback, xrefs: 00007FF8A92E493F

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_get_ex_new_index
String ID: SSL for verify callback
API String ID: 3987194240-2900698531
Opcode ID: 998d0b3d89f92af84c439d3d6d1f282b82ea7a3ae54b8f9e838ebb840228e167
Instruction ID: 989b6a8cd767b2cb112aefa2d5d142bdbf6846ecd74e2ad08cbb5ead51d824b8
Opcode Fuzzy Hash: 998d0b3d89f92af84c439d3d6d1f282b82ea7a3ae54b8f9e838ebb840228e167
Instruction Fuzzy Hash: AAE01235E0EAC29AE3509FA4A8416A536F5FB88384F419135E68CC3A51DE3C91118A40

Function 00007FF8A931E920 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-3 ref: 00007FF8A931E946

Strings

..\s\ssl\statem\extensions.c, xrefs: 00007FF8A931E932

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_free
String ID: ..\s\ssl\statem\extensions.c
API String ID: 2581946324-1165805907
Opcode ID: a61c9ce346b74f3a0deff5805a9348d450189386ed9d9072d823e30e35c2c8a0
Instruction ID: 90e4467eab5c94e12014f421f1aeb333b2954595dd14e33fa6f52fcbfa3c7d1c
Opcode Fuzzy Hash: a61c9ce346b74f3a0deff5805a9348d450189386ed9d9072d823e30e35c2c8a0
Instruction Fuzzy Hash: 2AE012A2B0AA809EE7855B65D8413D422A8FB48784F841031EE5CC6746EF58D2518710

Function 00007FF8A92D1A15 Relevance: 3.1, APIs: 2, Instructions: 70COMMON

Download Yara Rule

APIs

CRYPTO_THREAD_write_lock.LIBCRYPTO-3 ref: 00007FF8A92FE321
CRYPTO_THREAD_unlock.LIBCRYPTO-3 ref: 00007FF8A92FE38B

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: D_unlockD_write_lock
String ID:
API String ID: 1724170673-0
Opcode ID: 0b1c1edd4f2cdb6487a9e73ea1f050de2ec91a98e7960cfaee5f7467fb9553a1
Instruction ID: 12b55eb893eb8ded81aaa1611c00b369052a1bcf9453e4abb9d50a6a74126e6c
Opcode Fuzzy Hash: 0b1c1edd4f2cdb6487a9e73ea1f050de2ec91a98e7960cfaee5f7467fb9553a1
Instruction Fuzzy Hash: 9E21A77271A6C182EF49CF29E65827D6295EF48BE4F188235EE3E8B7DDDE68C4514300

Function 00007FF8A92D1AC3 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CRYPTO_THREAD_read_lock.LIBCRYPTO-3 ref: 00007FF8A92FE489
CRYPTO_THREAD_unlock.LIBCRYPTO-3 ref: 00007FF8A92FE4B9

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: D_read_lockD_unlock
String ID:
API String ID: 102331797-0
Opcode ID: 5e7f9065c7574be89edb2e45999f33991c44a3a35ae18b08861fcc82c9ae1c5a
Instruction ID: 9c901f9e0d11144c5e76283187c482f6870601d63021db7175429aa1b59ea684
Opcode Fuzzy Hash: 5e7f9065c7574be89edb2e45999f33991c44a3a35ae18b08861fcc82c9ae1c5a
Instruction Fuzzy Hash: D5F01221B1E5C291FB555E6AE9416BC52B0EB847C4F481031EE2DC768ADE68E4E24604

Function 00007FF8A92D198D Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

CRYPTO_THREAD_write_lock.LIBCRYPTO-3 ref: 00007FF8A92EE460
CRYPTO_THREAD_unlock.LIBCRYPTO-3 ref: 00007FF8A92EE482

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: D_unlockD_write_lock
String ID:
API String ID: 1724170673-0
Opcode ID: 83ed847967be068255eef3c865b8ab197e0ec3332e5960d83272749631eeb163
Instruction ID: 4005050808938abf7b3bd64e2eba2010b5ebe3b1c4154dc6a0917b784a94acd1
Opcode Fuzzy Hash: 83ed847967be068255eef3c865b8ab197e0ec3332e5960d83272749631eeb163
Instruction Fuzzy Hash: 46E0E522F0D6C152FB449F15F4812BD2264EF88BC8F480030FE5CC7B9EEE18D9914201

Function 00007FF8B7E07ACC Relevance: 75.5, APIs: 33, Strings: 10, Instructions: 218threadCOMMON

Download Yara Rule

APIs

PyType_GetModuleByDef.PYTHON313(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07AF4
PyErr_SetString.PYTHON313(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07B16
TLS_server_method.LIBSSL-3(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07B6D
TLS_client_method.LIBSSL-3(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07B78
PyErr_WarnEx.PYTHON313(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07B97
TLSv1_2_method.LIBSSL-3(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07BA6
PyErr_WarnEx.PYTHON313(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07BC2
TLSv1_1_method.LIBSSL-3(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07BD1
PyErr_WarnEx.PYTHON313(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07BED
TLSv1_method.LIBSSL-3(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07BFC
PyErr_WarnEx.PYTHON313(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07C18
TLS_method.LIBSSL-3(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07C27
PyErr_Format.PYTHON313(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07C49
PyEval_SaveThread.PYTHON313(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07C54
SSL_CTX_new.LIBSSL-3(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07C60
PyEval_RestoreThread.PYTHON313(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07C6C
PyModule_GetState.PYTHON313(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07C7A
SSL_CTX_free.LIBSSL-3(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07CB1
PyModule_GetState.PYTHON313(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07CE1
_Py_Dealloc.PYTHON313(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07D25
SSL_CTX_set_options.LIBSSL-3(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07D4C
SSL_CTX_set_cipher_list.LIBSSL-3(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07D67
ERR_clear_error.LIBCRYPTO-3(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07D71
PyErr_SetString.PYTHON313(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07D86
SSL_CTX_ctrl.LIBSSL-3(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07DAF
PyErr_Format.PYTHON313(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07DCD
_Py_Dealloc.PYTHON313(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07DE1
ERR_clear_error.LIBCRYPTO-3(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07DE7
SSL_CTX_ctrl.LIBSSL-3(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07E01
SSL_CTX_get0_param.LIBSSL-3(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07E0B
X509_VERIFY_PARAM_set_flags.LIBCRYPTO-3(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07E1C
X509_VERIFY_PARAM_set_hostflags.LIBCRYPTO-3(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07E28
SSL_CTX_set_post_handshake_auth.LIBSSL-3(?,?,?,?,00000000,00007FF8B7E070DB), ref: 00007FF8B7E07E38

Strings

ssl.PROTOCOL_TLSv1_1 is deprecated, xrefs: 00007FF8B7E07BB5
ssl.PROTOCOL_TLS is deprecated, xrefs: 00007FF8B7E07C0B
No cipher can be selected., xrefs: 00007FF8B7E07D7B
@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM, xrefs: 00007FF8B7E07D52
ssl.PROTOCOL_TLSv1 is deprecated, xrefs: 00007FF8B7E07BE0
Failed to set minimum protocol 0x%x, xrefs: 00007FF8B7E07DC0
invalid or unsupported protocol version %i, xrefs: 00007FF8B7E07C3C
ssl.PROTOCOL_TLSv1_2 is deprecated, xrefs: 00007FF8B7E07B8A
HIGH:!aNULL:!eNULL, xrefs: 00007FF8B7E07D60
Cannot find internal module state, xrefs: 00007FF8B7E07B0C

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_$Warn$DeallocEval_FormatModule_R_clear_errorStateStringThreadX509_X_ctrl$M_set_flagsM_set_hostflagsModuleRestoreS_client_methodS_methodS_server_methodSaveSv1_1_methodSv1_2_methodSv1_methodType_X_freeX_get0_paramX_newX_set_cipher_listX_set_optionsX_set_post_handshake_auth
String ID: @SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM$Cannot find internal module state$Failed to set minimum protocol 0x%x$HIGH:!aNULL:!eNULL$No cipher can be selected.$invalid or unsupported protocol version %i$ssl.PROTOCOL_TLS is deprecated$ssl.PROTOCOL_TLSv1 is deprecated$ssl.PROTOCOL_TLSv1_1 is deprecated$ssl.PROTOCOL_TLSv1_2 is deprecated
API String ID: 2858978057-3426422906
Opcode ID: 48bebc18205c76d80cab5c4d01de1e3ce84cc258928a9eb230b2610426a1f973
Instruction ID: c5ff266b352769564f96df6d257320a6365bba58c49dfe24704ece65209a49ea
Opcode Fuzzy Hash: 48bebc18205c76d80cab5c4d01de1e3ce84cc258928a9eb230b2610426a1f973
Instruction Fuzzy Hash: 77A15B31A08B4286EA54AB2DE99A13D27A1FF99FD4F544934CB1E176B0DF3CE455C700

Function 00007FF8A92E1A90 Relevance: 73.7, APIs: 37, Strings: 5, Instructions: 213COMMON

Download Yara Rule

APIs

BIO_snprintf.LIBCRYPTO-3 ref: 00007FF8A92E1B90
_stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF8A92E1BA1
OPENSSL_sk_set_cmp_func.LIBCRYPTO-3 ref: 00007FF8A92E1BDB
BIO_s_file.LIBCRYPTO-3 ref: 00007FF8A92E1BE3
BIO_new.LIBCRYPTO-3 ref: 00007FF8A92E1BEB
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8A92E1C0F
PEM_read_bio_X509.LIBCRYPTO-3 ref: 00007FF8A92E1C2A
X509_get_subject_name.LIBCRYPTO-3 ref: 00007FF8A92E1C39
X509_NAME_dup.LIBCRYPTO-3 ref: 00007FF8A92E1C4A
OPENSSL_sk_find.LIBCRYPTO-3 ref: 00007FF8A92E1C61
X509_NAME_free.LIBCRYPTO-3 ref: 00007FF8A92E1C6D
OPENSSL_sk_push.LIBCRYPTO-3 ref: 00007FF8A92E1C7A
PEM_read_bio_X509.LIBCRYPTO-3 ref: 00007FF8A92E1C95
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8A92E1C9F
BIO_free.LIBCRYPTO-3 ref: 00007FF8A92E1CA7
X509_free.LIBCRYPTO-3 ref: 00007FF8A92E1CB1
OPENSSL_sk_set_cmp_func.LIBCRYPTO-3 ref: 00007FF8A92E1CBC
OPENSSL_DIR_read.LIBCRYPTO-3 ref: 00007FF8A92E1CC9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8A92E1CDA
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92E1CE9
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92E1D01
GetLastError.KERNEL32 ref: 00007FF8A92E1D06
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92E1D1D
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92E1D22
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92E1D3A
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92E1D4C
X509_NAME_free.LIBCRYPTO-3 ref: 00007FF8A92E1D59
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92E1D60
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92E1D78
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92E1D8A
BIO_free.LIBCRYPTO-3 ref: 00007FF8A92E1D92
X509_free.LIBCRYPTO-3 ref: 00007FF8A92E1D9C
OPENSSL_sk_set_cmp_func.LIBCRYPTO-3 ref: 00007FF8A92E1DA7
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92E1DAE
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92E1DC6
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92E1DD8
OPENSSL_DIR_end.LIBCRYPTO-3 ref: 00007FF8A92E1E2A

Strings

SSL_add_file_cert_subjects_to_stack, xrefs: 00007FF8A92E1D65
..\s\ssl\ssl_cert.c, xrefs: 00007FF8A92E1CFA, 00007FF8A92E1D33, 00007FF8A92E1D71, 00007FF8A92E1DBF
SSL_add_dir_cert_subjects_to_stack, xrefs: 00007FF8A92E1CEE, 00007FF8A92E1D27, 00007FF8A92E1DB3
calling OPENSSL_dir_read(%s), xrefs: 00007FF8A92E1D0F
%s/%s, xrefs: 00007FF8A92E1B81

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debugR_set_error$L_sk_set_cmp_funcX509_$E_freeM_read_bio_O_freeX509X509_free$E_dupErrorL_sk_findL_sk_pushLastO_ctrlO_newO_s_fileO_snprintfR_clear_errorR_endR_readX509_get_subject_name_errno_stat64i32
String ID: %s/%s$..\s\ssl\ssl_cert.c$SSL_add_dir_cert_subjects_to_stack$SSL_add_file_cert_subjects_to_stack$calling OPENSSL_dir_read(%s)
API String ID: 2506108043-502574948
Opcode ID: d4e3a77e20bd1a79bd70731d866ea0baa18f260b811f859075847240d3c7ddc1
Instruction ID: 120a33e5ff4d4671e24c34fa3dec76b07251e6beca2bde362978d451b600e536
Opcode Fuzzy Hash: d4e3a77e20bd1a79bd70731d866ea0baa18f260b811f859075847240d3c7ddc1
Instruction Fuzzy Hash: 3091B461E0EAC265FA50AF15A4913BE26A1EFC57C4F452035EA5EC7B9AEF3CF5018700

Function 00007FF8B7E07F2C Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 206threadCOMMON

Download Yara Rule

APIs

SSL_CTX_get_default_passwd_cb.LIBSSL-3 ref: 00007FF8B7E07F5E
SSL_CTX_get_default_passwd_cb_userdata.LIBSSL-3 ref: 00007FF8B7E07F6B
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B7E07F84
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E07F8D
PyUnicode_FSConverter.PYTHON313 ref: 00007FF8B7E07FA5
PyErr_ExceptionMatches.PYTHON313 ref: 00007FF8B7E07FB9
PyErr_SetString.PYTHON313 ref: 00007FF8B7E07FD4

Part of subcall function 00007FF8B7E06374: PyUnicode_AsUTF8String.PYTHON313(?,?,?,00007FF8B7E062E0), ref: 00007FF8B7E063A4
Part of subcall function 00007FF8B7E06374: PyErr_Format.PYTHON313(?,?,?,00007FF8B7E062E0), ref: 00007FF8B7E06419
Part of subcall function 00007FF8B7E06374: _Py_Dealloc.PYTHON313(?,?,?,00007FF8B7E062E0), ref: 00007FF8B7E06467

Part of subcall function 00007FF8B7E06750: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B7E06768
Part of subcall function 00007FF8B7E06750: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E06791

PyUnicode_FSConverter.PYTHON313 ref: 00007FF8B7E07FED
PyErr_ExceptionMatches.PYTHON313 ref: 00007FF8B7E08001
PyErr_SetString.PYTHON313 ref: 00007FF8B7E08020
PyCallable_Check.PYTHON313 ref: 00007FF8B7E08037
SSL_CTX_set_default_passwd_cb.LIBSSL-3 ref: 00007FF8B7E0806D
SSL_CTX_set_default_passwd_cb_userdata.LIBSSL-3 ref: 00007FF8B7E0807B
PyEval_SaveThread.PYTHON313 ref: 00007FF8B7E08081
SSL_CTX_use_certificate_chain_file.LIBSSL-3 ref: 00007FF8B7E08097
PyEval_RestoreThread.PYTHON313 ref: 00007FF8B7E080A3
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B7E080B8
PyErr_SetFromErrno.PYTHON313 ref: 00007FF8B7E080CD
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E080D3
SSL_CTX_set_default_passwd_cb.LIBSSL-3(?,?,?,?,?,?,00007FF8A8E161F0,?,00007FF8A8E161F0,00007FF8B7E07F0E), ref: 00007FF8B7E081C0
SSL_CTX_set_default_passwd_cb_userdata.LIBSSL-3(?,?,?,?,?,?,00007FF8A8E161F0,?,00007FF8A8E161F0,00007FF8B7E07F0E), ref: 00007FF8B7E081CD
PyMem_Free.PYTHON313(?,?,?,?,?,?,00007FF8A8E161F0,?,00007FF8A8E161F0,00007FF8B7E07F0E), ref: 00007FF8B7E081D7
_Py_Dealloc.PYTHON313(?,?,?,?,?,?,00007FF8A8E161F0,?,00007FF8A8E161F0,00007FF8B7E07F0E), ref: 00007FF8B7E081F1
_Py_Dealloc.PYTHON313(?,?,?,?,?,?,00007FF8A8E161F0,?,00007FF8A8E161F0,00007FF8B7E07F0E), ref: 00007FF8B7E08217
SSL_CTX_set_default_passwd_cb.LIBSSL-3 ref: 00007FF8B7E08229
SSL_CTX_set_default_passwd_cb_userdata.LIBSSL-3 ref: 00007FF8B7E08236
PyMem_Free.PYTHON313 ref: 00007FF8B7E08240

Strings

certfile should be a valid filesystem path, xrefs: 00007FF8B7E07FCA
password should be a string or callable, xrefs: 00007FF8B7E08047
keyfile should be a valid filesystem path, xrefs: 00007FF8B7E08016

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_$DeallocR_clear_errorStringUnicode_X_set_default_passwd_cbX_set_default_passwd_cb_userdata$ConverterEval_ExceptionFreeMatchesMem_Thread_errno$Callable_CheckErrnoFormatFromR_peek_last_errorRestoreSaveX_get_default_passwd_cbX_get_default_passwd_cb_userdataX_use_certificate_chain_file
String ID: certfile should be a valid filesystem path$keyfile should be a valid filesystem path$password should be a string or callable
API String ID: 1360066414-998072137
Opcode ID: d7c8620c3b1db992069c4994a0da7375102a158a8bd939964995283b44567453
Instruction ID: 97e778c9c4be851852abca50752e5761f74e9c4602beab905f0d66bcf0d577fb
Opcode Fuzzy Hash: d7c8620c3b1db992069c4994a0da7375102a158a8bd939964995283b44567453
Instruction Fuzzy Hash: 13A1F226A09B42CAFB54AB69E85617D23A0FF88FD9B044431DB4E57A74CF3DE495C310

Function 00007FF8B7E02410 Relevance: 64.9, APIs: 18, Strings: 19, Instructions: 124COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON313 ref: 00007FF8B7E02422
PyType_FromSpecWithBases.PYTHON313 ref: 00007FF8B7E0243C
PyModule_AddObjectRef.PYTHON313 ref: 00007FF8B7E0245C
PyTuple_Pack.PYTHON313 ref: 00007FF8B7E0247D
PyErr_NewExceptionWithDoc.PYTHON313 ref: 00007FF8B7E024A3
PyModule_AddObjectRef.PYTHON313 ref: 00007FF8B7E024BA
PyErr_NewExceptionWithDoc.PYTHON313 ref: 00007FF8B7E024EC
PyModule_AddObjectRef.PYTHON313 ref: 00007FF8B7E02503
PyErr_NewExceptionWithDoc.PYTHON313 ref: 00007FF8B7E02526
PyModule_AddObjectRef.PYTHON313 ref: 00007FF8B7E0253D
PyErr_NewExceptionWithDoc.PYTHON313 ref: 00007FF8B7E02560
PyModule_AddObjectRef.PYTHON313 ref: 00007FF8B7E02577
PyErr_NewExceptionWithDoc.PYTHON313 ref: 00007FF8B7E02596
PyModule_AddObjectRef.PYTHON313 ref: 00007FF8B7E025AD
PyErr_NewExceptionWithDoc.PYTHON313 ref: 00007FF8B7E025CC
PyModule_AddObjectRef.PYTHON313 ref: 00007FF8B7E025E3
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E03C5B
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E03C7D

Strings

ssl.SSLCertVerificationError, xrefs: 00007FF8B7E0249C
ssl.SSLWantWriteError, xrefs: 00007FF8B7E0251F
ssl.SSLWantReadError, xrefs: 00007FF8B7E02559
SSLSyscallError, xrefs: 00007FF8B7E0259C
Non-blocking SSL socket needs to write more databefore the requested operation can be completed., xrefs: 00007FF8B7E02515
System error when attempting SSL operation., xrefs: 00007FF8B7E02585
ssl.SSLSyscallError, xrefs: 00007FF8B7E0258F
ssl.SSLEOFError, xrefs: 00007FF8B7E025C5
SSLWantWriteError, xrefs: 00007FF8B7E0252C
A certificate could not be verified., xrefs: 00007FF8B7E02492
Non-blocking SSL socket needs to read more databefore the requested operation can be completed., xrefs: 00007FF8B7E0254F
SSL/TLS session closed cleanly., xrefs: 00007FF8B7E024DB
SSLWantReadError, xrefs: 00007FF8B7E02566
ssl.SSLZeroReturnError, xrefs: 00007FF8B7E024E5
SSLEOFError, xrefs: 00007FF8B7E025D2
SSLZeroReturnError, xrefs: 00007FF8B7E024F2
SSL/TLS connection terminated abruptly., xrefs: 00007FF8B7E025BB
SSLError, xrefs: 00007FF8B7E02452
SSLCertVerificationError, xrefs: 00007FF8B7E024A9

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Module_$ObjectWith$Err_Exception$Dealloc$BasesFromPackSpecStateTuple_Type_
String ID: A certificate could not be verified.$Non-blocking SSL socket needs to read more databefore the requested operation can be completed.$Non-blocking SSL socket needs to write more databefore the requested operation can be completed.$SSL/TLS connection terminated abruptly.$SSL/TLS session closed cleanly.$SSLCertVerificationError$SSLEOFError$SSLError$SSLSyscallError$SSLWantReadError$SSLWantWriteError$SSLZeroReturnError$System error when attempting SSL operation.$ssl.SSLCertVerificationError$ssl.SSLEOFError$ssl.SSLSyscallError$ssl.SSLWantReadError$ssl.SSLWantWriteError$ssl.SSLZeroReturnError
API String ID: 2091157252-1330971811
Opcode ID: 85c8ea0a4b1603a364a6c51d8a05ef5ffe5e52dbd55a1fbedf1c68b2a8ea180a
Instruction ID: 67302e3f4a0f30c5ae2015b18d208865aaed7377e61e8d37fcf7953c7bde8d80
Opcode Fuzzy Hash: 85c8ea0a4b1603a364a6c51d8a05ef5ffe5e52dbd55a1fbedf1c68b2a8ea180a
Instruction Fuzzy Hash: 9D510871A09B8385EB50AF2DE8565AC27A5BF09FC4F405036CB0D6AA78EF2CE159C300

Function 00007FF8B7E0B97C Relevance: 63.3, APIs: 29, Strings: 7, Instructions: 251COMMON

Download Yara Rule

APIs

Py_BuildValue.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0B9EA
PyDict_GetItemWithError.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BA03
_Py_Dealloc.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BA19
PyErr_Occurred.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BA24
PyLong_FromLong.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BA35
PyDict_GetItemWithError.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BA4E
_Py_Dealloc.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BA64
PyErr_Occurred.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BA6F
ERR_reason_error_string.LIBCRYPTO-3(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BA8E
SSL_get_verify_result.LIBSSL-3(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BAD3
PyLong_FromLong.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BADD
X509_verify_cert_error_string.LIBCRYPTO-3(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BAFB
PyUnicode_FromString.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BB09
PyUnicode_FromFormat.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BB37
PyUnicode_FromFormat.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BB73
PyUnicode_FromFormat.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BBA0
PyUnicode_FromFormat.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BBC2
PyUnicode_FromFormat.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BBDC
Py_BuildValue.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BC12
PyObject_CallObject.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BC2F
_Py_Dealloc.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BC46
PyObject_SetAttr.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BC6D
PyObject_SetAttr.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BC8C
PyObject_SetAttr.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BCB6
PyObject_SetAttr.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BCCD
PyErr_SetObject.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BCDD
_Py_Dealloc.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BCF1
_Py_Dealloc.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BD0B
_Py_Dealloc.PYTHON313(?,00000000,?,?,00000000,00000000,00000000,00007FF8B7E06791), ref: 00007FF8B7E0BD24

Strings

[%S: %S] %s: %S (_ssl.c:%d), xrefs: 00007FF8B7E0BB5A
IP address mismatch, certificate is not valid for '%S'., xrefs: 00007FF8B7E0BB23
%s (_ssl.c:%d), xrefs: 00007FF8B7E0BBD2
[%S: %S] %s (_ssl.c:%d), xrefs: 00007FF8B7E0BB8C
Hostname mismatch, certificate is not valid for '%S'., xrefs: 00007FF8B7E0BB2C
unknown error, xrefs: 00007FF8B7E0BAA1
[%S] %s (_ssl.c:%d), xrefs: 00007FF8B7E0BBB5

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: From$DeallocUnicode_$FormatObject_$Attr$Err_$BuildDict_ErrorItemLongLong_ObjectOccurredValueWith$CallL_get_verify_resultR_reason_error_stringStringX509_verify_cert_error_string
String ID: %s (_ssl.c:%d)$Hostname mismatch, certificate is not valid for '%S'.$IP address mismatch, certificate is not valid for '%S'.$[%S: %S] %s (_ssl.c:%d)$[%S: %S] %s: %S (_ssl.c:%d)$[%S] %s (_ssl.c:%d)$unknown error
API String ID: 1604805535-2914327905
Opcode ID: a41db2abb2cb338cf27331087a209aef212dc94b4bd60e2b31d3d9e759729565
Instruction ID: d0e05f996b142ceb298dac2e32e4e8278c6685eb6ff65fd2a71fa4998a44c6bf
Opcode Fuzzy Hash: a41db2abb2cb338cf27331087a209aef212dc94b4bd60e2b31d3d9e759729565
Instruction Fuzzy Hash: A9B14B61A097868AEAA5AF19A95677D63B6BF55FC0F084434CF0E477B4EF3CE8448700

Function 00007FF8A9339AC0 Relevance: 52.8, APIs: 27, Strings: 3, Instructions: 280COMMON

Download Yara Rule

APIs

BN_bin2bn.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339C37
BN_bin2bn.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339C48
OSSL_PARAM_BLD_push_BN.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339CAB
OSSL_PARAM_BLD_push_BN.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339CC5
ERR_new.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339D0B
ERR_set_debug.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339D23
EVP_PKEY_CTX_free.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339D67
EVP_PKEY_CTX_new_from_pkey.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339D85
ERR_new.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339DE9
ERR_set_debug.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339E01
ERR_new.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339EB2
ERR_new.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339EC1
ERR_set_debug.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339ED9
OSSL_PARAM_BLD_free.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339EF7
OSSL_PARAM_free.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339EFF
EVP_PKEY_free.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339F0C
EVP_PKEY_CTX_free.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339F14
BN_free.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339F1C
BN_free.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339F24
BN_free.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339F2C
ERR_new.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339F4C
ERR_set_debug.LIBCRYPTO-3(00000000,?,00000000,?,?,?,?,00007FF8A9337801), ref: 00007FF8A9339F64

Strings

pub, xrefs: 00007FF8A9339CBB
tls_process_ske_dhe, xrefs: 00007FF8A9339D15, 00007FF8A9339DEE, 00007FF8A9339E68, 00007FF8A9339E92, 00007FF8A9339EC6, 00007FF8A9339F51
..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A9339D1C, 00007FF8A9339DFA, 00007FF8A9339E74, 00007FF8A9339E9E, 00007FF8A9339ED2, 00007FF8A9339F5D

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_new$R_set_debug$N_free$D_push_N_bin2bnX_free$D_freeM_freeX_new_from_pkeyY_free
String ID: ..\s\ssl\statem\statem_clnt.c$pub$tls_process_ske_dhe
API String ID: 628451016-2653997673
Opcode ID: 13041f3a82de289b3a0e62343bcd9baa2358b2b352d41d32bfb79f4bcc76be03
Instruction ID: 892cc48e715fa9eb483624c8f34516aeb5f8e4b12da42348a261a08852766c99
Opcode Fuzzy Hash: 13041f3a82de289b3a0e62343bcd9baa2358b2b352d41d32bfb79f4bcc76be03
Instruction Fuzzy Hash: C9B1B151A0EEC2A1FA50AF21A4112FA62B0FFC67C5F546035EE9D87B96DF3CE5918700

Function 00007FF8B7E0B494 Relevance: 47.4, APIs: 16, Strings: 11, Instructions: 143COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF8B7E0B4D9
SSL_CIPHER_get_name.LIBSSL-3 ref: 00007FF8B7E0B4E1
SSL_CIPHER_get_version.LIBSSL-3 ref: 00007FF8B7E0B4ED
SSL_CIPHER_get_id.LIBSSL-3 ref: 00007FF8B7E0B4F9
SSL_CIPHER_description.LIBSSL-3 ref: 00007FF8B7E0B515
SSL_CIPHER_get_bits.LIBSSL-3 ref: 00007FF8B7E0B55D
SSL_CIPHER_is_aead.LIBSSL-3 ref: 00007FF8B7E0B569
SSL_CIPHER_get_cipher_nid.LIBSSL-3 ref: 00007FF8B7E0B575
OBJ_nid2ln.LIBCRYPTO-3 ref: 00007FF8B7E0B581
SSL_CIPHER_get_digest_nid.LIBSSL-3 ref: 00007FF8B7E0B597
OBJ_nid2ln.LIBCRYPTO-3 ref: 00007FF8B7E0B5A3
SSL_CIPHER_get_kx_nid.LIBSSL-3 ref: 00007FF8B7E0B5B3
OBJ_nid2ln.LIBCRYPTO-3 ref: 00007FF8B7E0B5BF
SSL_CIPHER_get_auth_nid.LIBSSL-3 ref: 00007FF8B7E0B5CF
OBJ_nid2ln.LIBCRYPTO-3 ref: 00007FF8B7E0B5DB
Py_BuildValue.PYTHON313 ref: 00007FF8B7E0B6D8

Strings

description, xrefs: 00007FF8B7E0B6B6
strength_bits, xrefs: 00007FF8B7E0B698
digest, xrefs: 00007FF8B7E0B63E
name, xrefs: 00007FF8B7E0B5EF
alg_bits, xrefs: 00007FF8B7E0B68C
auth, xrefs: 00007FF8B7E0B610
symmetric, xrefs: 00007FF8B7E0B655
protocol, xrefs: 00007FF8B7E0B6C2
kea, xrefs: 00007FF8B7E0B627
{sksssssssisisOssssssss}, xrefs: 00007FF8B7E0B669
aead, xrefs: 00007FF8B7E0B675

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: J_nid2ln$BuildR_descriptionR_get_auth_nidR_get_bitsR_get_cipher_nidR_get_digest_nidR_get_idR_get_kx_nidR_get_nameR_get_versionR_is_aeadValuememset
String ID: aead$alg_bits$auth$description$digest$kea$name$protocol$strength_bits$symmetric${sksssssssisisOssssssss}
API String ID: 1339383425-4085912083
Opcode ID: c2efaa43b9743c2d9eb088dde7249cc75b8b3e0ed0946e6e735d6bcf45c0628a
Instruction ID: d8b59a253cc60acd858d71352871620c8f4d393dd56b18b4061d8487ae3c86ca
Opcode Fuzzy Hash: c2efaa43b9743c2d9eb088dde7249cc75b8b3e0ed0946e6e735d6bcf45c0628a
Instruction Fuzzy Hash: 84613C35A08B8685EA649B29F8562AE73A5FF88FD0F440536DA8E43BB4DF3CD444C700

Function 00007FF8A930B950 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 294COMMON

Download Yara Rule

APIs

BIO_indent.LIBCRYPTO-3 ref: 00007FF8A930BA7A
BIO_printf.LIBCRYPTO-3 ref: 00007FF8A930BA8C
BIO_indent.LIBCRYPTO-3 ref: 00007FF8A930BAB1
BIO_printf.LIBCRYPTO-3 ref: 00007FF8A930BAEB
BIO_indent.LIBCRYPTO-3 ref: 00007FF8A930BB82
BIO_printf.LIBCRYPTO-3 ref: 00007FF8A930BB94
BIO_indent.LIBCRYPTO-3 ref: 00007FF8A930BBCE
BIO_printf.LIBCRYPTO-3 ref: 00007FF8A930BC11
BIO_indent.LIBCRYPTO-3 ref: 00007FF8A930BC5F
BIO_printf.LIBCRYPTO-3 ref: 00007FF8A930BC92
BIO_indent.LIBCRYPTO-3 ref: 00007FF8A930BCE6
BIO_printf.LIBCRYPTO-3 ref: 00007FF8A930BCF8
d2i_X509_NAME.LIBCRYPTO-3 ref: 00007FF8A930BD0C
BIO_puts.LIBCRYPTO-3 ref: 00007FF8A930BD23
BIO_puts.LIBCRYPTO-3 ref: 00007FF8A930BD45
X509_NAME_free.LIBCRYPTO-3 ref: 00007FF8A930BD4D

Part of subcall function 00007FF8A930E000: BIO_printf.LIBCRYPTO-3(?,00007FF8A930B48A), ref: 00007FF8A930E046
Part of subcall function 00007FF8A930E000: BIO_printf.LIBCRYPTO-3(?,00007FF8A930B48A), ref: 00007FF8A930E06F

Part of subcall function 00007FF8A930D720: BIO_indent.LIBCRYPTO-3(?,?,?,?,?,?,00007FF8A930BA38), ref: 00007FF8A930D769
Part of subcall function 00007FF8A930D720: BIO_puts.LIBCRYPTO-3(?,?,?,?,?,?,00007FF8A930BA38), ref: 00007FF8A930D77D

Strings

signature_algorithms (len=%d), xrefs: 00007FF8A930BB8A
certificate_types (len=%d), xrefs: 00007FF8A930BA82
request_extensions, xrefs: 00007FF8A930BDC2
<UNPARSEABLE DN>, xrefs: 00007FF8A930BD1C
certificate_authorities (len=%d), xrefs: 00007FF8A930BC78
%s (0x%04x), xrefs: 00007FF8A930BC07
DistinguishedName (len=%d): , xrefs: 00007FF8A930BCEE
request_context, xrefs: 00007FF8A930B9D7
%s (%d), xrefs: 00007FF8A930BAE1
UNKNOWN, xrefs: 00007FF8A930BAD1, 00007FF8A930BBFA

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_printf$O_indent$O_puts$X509_$E_freed2i_
String ID: %s (%d)$%s (0x%04x)$<UNPARSEABLE DN>$DistinguishedName (len=%d): $UNKNOWN$certificate_authorities (len=%d)$certificate_types (len=%d)$request_context$request_extensions$signature_algorithms (len=%d)
API String ID: 2542938528-1289818360
Opcode ID: 9866b08bdc0a3b3d8ea1bb17813a8abd02e194aeed6dc8d8cf881cc16176eeed
Instruction ID: c77adfc415e08fe6ea1bd99b1482cf44c5df344a631a2354d8fb08135a1b469d
Opcode Fuzzy Hash: 9866b08bdc0a3b3d8ea1bb17813a8abd02e194aeed6dc8d8cf881cc16176eeed
Instruction Fuzzy Hash: ADC10621B1EAD165EE609F15D4057BAABB1FB85BC4F44A031DE9D87B99DE3CE500C300

Function 00007FF8B7E09A00 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 234threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B7E03C98: PyWeakref_GetRef.PYTHON313 ref: 00007FF8B7E03CAA
Part of subcall function 00007FF8B7E03C98: _Py_Dealloc.PYTHON313 ref: 00007FF8B7E03CCC

PyErr_SetString.PYTHON313(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09A5F
PyBytes_FromStringAndSize.PYTHON313(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09AB1
_Py_Dealloc.PYTHON313(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09ADB
PyErr_SetString.PYTHON313(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09B21
SSL_get_rbio.LIBSSL-3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09B49
BIO_ctrl.LIBCRYPTO-3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09B5E
SSL_get_wbio.LIBSSL-3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09B68
BIO_ctrl.LIBCRYPTO-3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09B79
_PyDeadline_Init.PYTHON313 ref: 00007FF8B7E09B95
PyEval_SaveThread.PYTHON313(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09BA8
SSL_read_ex.LIBSSL-3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09BC0
PyEval_RestoreThread.PYTHON313(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09BF4
PyErr_CheckSignals.PYTHON313(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09C09
_PyDeadline_Get.PYTHON313(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09C23
SSL_get_shutdown.LIBSSL-3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09C72
_Py_Dealloc.PYTHON313(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09CBA
_PyBytes_Resize.PYTHON313(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09CCD
_Py_Dealloc.PYTHON313(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09CF8
_Py_Dealloc.PYTHON313(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09D26
PyLong_FromSize_t.PYTHON313(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8B7E099CE), ref: 00007FF8B7E09D35

Strings

maximum length can't fit in a C 'int', xrefs: 00007FF8B7E09B17
The read operation timed out, xrefs: 00007FF8B7E09C98
Underlying socket connection gone, xrefs: 00007FF8B7E09A7E
size should not be negative, xrefs: 00007FF8B7E09A55

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Dealloc$Err_String$Bytes_Deadline_Eval_FromO_ctrlThread$CheckInitL_get_rbioL_get_shutdownL_get_wbioL_read_exLong_ResizeRestoreSaveSignalsSizeSize_tWeakref_
String ID: The read operation timed out$Underlying socket connection gone$maximum length can't fit in a C 'int'$size should not be negative
API String ID: 2728777618-665203206
Opcode ID: e94926a5dda901e9600d49c675eeda76c231d597df9f71c49167856a4d9397d9
Instruction ID: 6208184cf09a5610bcbbee9ba47d46b6b85ddb9448d98d5f0b920e132f429d1e
Opcode Fuzzy Hash: e94926a5dda901e9600d49c675eeda76c231d597df9f71c49167856a4d9397d9
Instruction Fuzzy Hash: 95A14732E09B528AEB659F29A88667D23A4BF45FC8F054035CF4E57AB4DF3DE4528700

Function 00007FF8B7E0653C Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

SSL_get_servername.LIBSSL-3 ref: 00007FF8B7E0655A
PyGILState_Ensure.PYTHON313 ref: 00007FF8B7E06563
PyGILState_Release.PYTHON313 ref: 00007FF8B7E06575
SSL_get_ex_data.LIBSSL-3 ref: 00007FF8B7E06587
PyWeakref_GetRef.PYTHON313 ref: 00007FF8B7E065A9
PyObject_CallFunctionObjArgs.PYTHON313 ref: 00007FF8B7E065E2
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E06619
PyGILState_Release.PYTHON313 ref: 00007FF8B7E06629
PyUnicode_FromEncodedObject.PYTHON313 ref: 00007FF8B7E06652
PyErr_WriteUnraisable.PYTHON313 ref: 00007FF8B7E06663
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E06676
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0668C
PyObject_CallFunctionObjArgs.PYTHON313 ref: 00007FF8B7E066A6
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E066BD
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E066D2
PyErr_WriteUnraisable.PYTHON313 ref: 00007FF8B7E066E1
PyLong_AsLong.PYTHON313 ref: 00007FF8B7E06703
PyErr_Occurred.PYTHON313 ref: 00007FF8B7E0670C
PyErr_WriteUnraisable.PYTHON313 ref: 00007FF8B7E0671A
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0673A
PyGILState_Release.PYTHON313 ref: 00007FF8B7E06743

Strings

ascii, xrefs: 00007FF8B7E06648

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Dealloc$Err_State_$ReleaseUnraisableWrite$ArgsCallFunctionObject_$EncodedEnsureFromL_get_ex_dataL_get_servernameLongLong_ObjectOccurredUnicode_Weakref_
String ID: ascii
API String ID: 1648778365-3510295289
Opcode ID: 855e93930477775f02c38f3ac009f80da23f8be2ad27ea1c1b1474064647d875
Instruction ID: be454e2623677535163ad5f40c399a727f5c3542813673fdda5d05b34e134851
Opcode Fuzzy Hash: 855e93930477775f02c38f3ac009f80da23f8be2ad27ea1c1b1474064647d875
Instruction Fuzzy Hash: D261B83AA09B4286FA69AF29A81A37D63A1BF44FD5F184430DB0F467B4DF7DE4458700

Function 00007FF8B7E05194 Relevance: 36.2, APIs: 24, Instructions: 170COMMON

Download Yara Rule

APIs

X509_NAME_entry_count.LIBCRYPTO-3 ref: 00007FF8B7E051B8
PyList_New.PYTHON313 ref: 00007FF8B7E051C7
PyList_New.PYTHON313 ref: 00007FF8B7E051DB
X509_NAME_get_entry.LIBCRYPTO-3 ref: 00007FF8B7E051FD
X509_NAME_ENTRY_set.LIBCRYPTO-3 ref: 00007FF8B7E0520E
PyList_AsTuple.PYTHON313 ref: 00007FF8B7E0521C
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E05233
PyList_Append.PYTHON313 ref: 00007FF8B7E05248
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0525E
PyList_New.PYTHON313 ref: 00007FF8B7E0526E
X509_NAME_ENTRY_set.LIBCRYPTO-3 ref: 00007FF8B7E05283
X509_NAME_ENTRY_get_object.LIBCRYPTO-3 ref: 00007FF8B7E0528F
X509_NAME_ENTRY_get_data.LIBCRYPTO-3 ref: 00007FF8B7E0529B
PyList_Append.PYTHON313 ref: 00007FF8B7E052C3
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E052DA
PyList_AsTuple.PYTHON313 ref: 00007FF8B7E05310
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E05327
PyList_Append.PYTHON313 ref: 00007FF8B7E05338
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0534E
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E05366
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E05396
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E053AC
PyList_AsTuple.PYTHON313 ref: 00007FF8B7E053B5
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E053CC

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: DeallocList_$X509_$AppendTuple$Y_set$E_entry_countE_get_entryY_get_dataY_get_object
String ID:
API String ID: 3918441104-0
Opcode ID: db818d51d449e72e9899e89badedafafe268f1228f328daead792f54bb8280e6
Instruction ID: 7cb3467472a234e9b105ae3e5217590614bde82ccb15ffb1e5f71629ff7a4300
Opcode Fuzzy Hash: db818d51d449e72e9899e89badedafafe268f1228f328daead792f54bb8280e6
Instruction Fuzzy Hash: F9615931A09B4385FF596F2AA91A73E62E1BF45FD1F485434CB4E4A6B4EFBCA4458300

Function 00007FF8A92D19D8 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 271COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A9335465
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A933547D
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9335546
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9335830

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A9335476, 00007FF8A9335829
tls_construct_client_hello, xrefs: 00007FF8A933546A, 00007FF8A9335822

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ..\s\ssl\statem\statem_clnt.c$tls_construct_client_hello
API String ID: 193678381-3629367348
Opcode ID: d8395b445ae9ff782c898aefdd6d6a6793dfd2ddd782255ea916dad638690011
Instruction ID: 3eb7b3bc13a7d21f1b051537d1293544ae62c4890f84cbcb974984d70d831ef3
Opcode Fuzzy Hash: d8395b445ae9ff782c898aefdd6d6a6793dfd2ddd782255ea916dad638690011
Instruction Fuzzy Hash: 99B18265B4FAC261F754AE22D5443BB22A5EF81BC4F486035DE0ECBAC6DF6CE9418740

Function 00007FF8B7E0A248 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 176threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B7E03C98: PyWeakref_GetRef.PYTHON313 ref: 00007FF8B7E03CAA
Part of subcall function 00007FF8B7E03C98: _Py_Dealloc.PYTHON313 ref: 00007FF8B7E03CCC

SSL_get_rbio.LIBSSL-3(?,?,?,?,?,?,00000000), ref: 00007FF8B7E0A2C8
BIO_ctrl.LIBCRYPTO-3(?,?,?,?,?,?,00000000), ref: 00007FF8B7E0A2DD
SSL_get_wbio.LIBSSL-3(?,?,?,?,?,?,00000000), ref: 00007FF8B7E0A2E7
BIO_ctrl.LIBCRYPTO-3(?,?,?,?,?,?,00000000), ref: 00007FF8B7E0A2F8
_PyDeadline_Init.PYTHON313(?,?,?,?,?,?,00000000), ref: 00007FF8B7E0A30E
PyErr_SetString.PYTHON313(?,?,?,?,?,?,00000000), ref: 00007FF8B7E0A345
_Py_Dealloc.PYTHON313(?,?,?,?,?,?,00000000), ref: 00007FF8B7E0A35E
PyEval_SaveThread.PYTHON313(?,?,?,?,?,?,00000000), ref: 00007FF8B7E0A3B6
SSL_write_ex.LIBSSL-3(?,?,?,?,?,?,00000000), ref: 00007FF8B7E0A3D3
PyEval_RestoreThread.PYTHON313(?,?,?,?,?,?,00000000), ref: 00007FF8B7E0A40D
PyErr_CheckSignals.PYTHON313(?,?,?,?,?,?,00000000), ref: 00007FF8B7E0A424
_PyDeadline_Get.PYTHON313(?,?,?,?,?,?,00000000), ref: 00007FF8B7E0A43A
_Py_Dealloc.PYTHON313(?,?,?,?,?,?,00000000), ref: 00007FF8B7E0A49E

Part of subcall function 00007FF8B7E06750: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B7E06768
Part of subcall function 00007FF8B7E06750: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E06791

PyLong_FromSize_t.PYTHON313(?,?,?,?,?,?,00000000), ref: 00007FF8B7E0A4D1

Strings

Underlying socket too large for select()., xrefs: 00007FF8B7E0A3A5
Underlying socket connection gone, xrefs: 00007FF8B7E0A293
3, xrefs: 00007FF8B7E0A29A
The write operation timed out, xrefs: 00007FF8B7E0A33B
Underlying socket has been closed., xrefs: 00007FF8B7E0A38B

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Dealloc$Deadline_Err_Eval_O_ctrlThread$CheckFromInitL_get_rbioL_get_wbioL_write_exLong_R_clear_errorR_peek_last_errorRestoreSaveSignalsSize_tStringWeakref_
String ID: 3$The write operation timed out$Underlying socket connection gone$Underlying socket has been closed.$Underlying socket too large for select().
API String ID: 438463835-2917282068
Opcode ID: d3687d44d63a89c7a4742784eb3d5b6704145737fb35931fea571ddff65a40d4
Instruction ID: 9726572b26bfaab191a86669d7906927338e894b89f7f819a89bb3831dadbd10
Opcode Fuzzy Hash: d3687d44d63a89c7a4742784eb3d5b6704145737fb35931fea571ddff65a40d4
Instruction Fuzzy Hash: A4714A26A0CB4A8AEA649F2A988627E67A1FF89FC4F044431DF4E47671DF3CE445C300

Function 00007FF8A92D1A55 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_get0_cipher.LIBCRYPTO-3 ref: 00007FF8A931A817
EVP_CIPHER_get0_provider.LIBCRYPTO-3 ref: 00007FF8A931A842
EVP_CIPHER_CTX_get_block_size.LIBCRYPTO-3 ref: 00007FF8A931A85A
memset.VCRUNTIME140 ref: 00007FF8A931A89B
EVP_CIPHER_get0_provider.LIBCRYPTO-3 ref: 00007FF8A931A8D6
EVP_CipherUpdate.LIBCRYPTO-3 ref: 00007FF8A931A8FE
OSSL_PARAM_construct_octet_ptr.LIBCRYPTO-3 ref: 00007FF8A931A948
OSSL_PARAM_construct_end.LIBCRYPTO-3 ref: 00007FF8A931A971
EVP_CIPHER_CTX_get_params.LIBCRYPTO-3 ref: 00007FF8A931A9A0
ERR_new.LIBCRYPTO-3 ref: 00007FF8A931A9AD
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A931A9C5
EVP_Cipher.LIBCRYPTO-3 ref: 00007FF8A931AA00
ERR_new.LIBCRYPTO-3 ref: 00007FF8A931AA0A
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A931AA22
memmove.VCRUNTIME140 ref: 00007FF8A931AA99

Strings

ssl3_enc, xrefs: 00007FF8A931A9B2, 00007FF8A931AA0F
tls-mac, xrefs: 00007FF8A931A930
..\s\ssl\record\ssl3_record.c, xrefs: 00007FF8A931A9BE, 00007FF8A931AA1B

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: CipherR_get0_providerR_newR_set_debug$M_construct_endM_construct_octet_ptrUpdateX_get0_cipherX_get_block_sizeX_get_paramsmemmovememset
String ID: ..\s\ssl\record\ssl3_record.c$ssl3_enc$tls-mac
API String ID: 498158591-3426545738
Opcode ID: 846db99a8bd125bd40f96cc4d37a063426ae10c70d0c16e5854cef26a0faee61
Instruction ID: 45e6da3dafd815c732c854c84d813c2b7ea79fe4c5f0684a68773aaf18b0bd67
Opcode Fuzzy Hash: 846db99a8bd125bd40f96cc4d37a063426ae10c70d0c16e5854cef26a0faee61
Instruction Fuzzy Hash: 4C71A022A0EEC651EE648F11E9017AA63B0EF857C5F55A031DE8DC3B65EF3CE4818700

Function 00007FF8B7E09EA0 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 174threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B7E03C98: PyWeakref_GetRef.PYTHON313 ref: 00007FF8B7E03CAA
Part of subcall function 00007FF8B7E03C98: _Py_Dealloc.PYTHON313 ref: 00007FF8B7E03CCC

SSL_get_rbio.LIBSSL-3 ref: 00007FF8B7E09F03
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B7E09F18
SSL_get_wbio.LIBSSL-3 ref: 00007FF8B7E09F22
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B7E09F33
_PyDeadline_Init.PYTHON313 ref: 00007FF8B7E09F4B
PyEval_SaveThread.PYTHON313 ref: 00007FF8B7E09F98
SSL_set_read_ahead.LIBSSL-3 ref: 00007FF8B7E09FB1
SSL_shutdown.LIBSSL-3 ref: 00007FF8B7E09FBE
PyEval_RestoreThread.PYTHON313 ref: 00007FF8B7E09FF8
_PyDeadline_Get.PYTHON313 ref: 00007FF8B7E0A03E
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0A08E
PyErr_SetString.PYTHON313 ref: 00007FF8B7E0A0D9
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0A0FB

Strings

Underlying socket too large for select()., xrefs: 00007FF8B7E0A0AB
The read operation timed out, xrefs: 00007FF8B7E0A0C3
Underlying socket connection gone, xrefs: 00007FF8B7E09F5F
The write operation timed out, xrefs: 00007FF8B7E0A0D2
B, xrefs: 00007FF8B7E09F6C

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Dealloc$Deadline_Eval_O_ctrlThread$Err_InitL_get_rbioL_get_wbioL_set_read_aheadL_shutdownRestoreSaveStringWeakref_
String ID: B$The read operation timed out$The write operation timed out$Underlying socket connection gone$Underlying socket too large for select().
API String ID: 3315248981-1139084988
Opcode ID: 5943a039c6cdb38d5f61f64391e52815a8c3dd02f3e8eae8b1d42f492bb51cbe
Instruction ID: 860e07572ef1836cb443faf1c048fb3bac31c507ee5645446d946eb887a37ce4
Opcode Fuzzy Hash: 5943a039c6cdb38d5f61f64391e52815a8c3dd02f3e8eae8b1d42f492bb51cbe
Instruction Fuzzy Hash: C2715E22A0CB4A89EA649F29E54627E6361FF85FD4F044135DF4E47AB1DF3DE4958300

Function 00007FF8A92EAA00 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 173COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A92EAA23
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92EAA3B
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92EAA4D
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92EAAB3
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92EAACB
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92EAADD

Strings

<EMPTY>, xrefs: 00007FF8A92EAC15
ctrl_switch_option, xrefs: 00007FF8A92EAAB8
cmd=%s, xrefs: 00007FF8A92EAC77
..\s\ssl\ssl_conf.c, xrefs: 00007FF8A92EAA34, 00007FF8A92EAAC4, 00007FF8A92EAC04, 00007FF8A92EAC66
cmd=%s, value=%s, xrefs: 00007FF8A92EAC1F
SSL_CONF_cmd, xrefs: 00007FF8A92EAA28, 00007FF8A92EABF8, 00007FF8A92EAC5A

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: ..\s\ssl\ssl_conf.c$<EMPTY>$SSL_CONF_cmd$cmd=%s$cmd=%s, value=%s$ctrl_switch_option
API String ID: 1552677711-2097058995
Opcode ID: e319e27fe40e647e3f244abde80eac25d5c14b5325c085d734663c925ea3fa4d
Instruction ID: 8a3a2ba5d90603d202062f4e253be72cdbe224bf6c73b8d57d2acad94ac40e95
Opcode Fuzzy Hash: e319e27fe40e647e3f244abde80eac25d5c14b5325c085d734663c925ea3fa4d
Instruction Fuzzy Hash: 9061B466A0EAD2A2FB409F59E4403A963B1EB847D4F495031DA5CC7BDAEE3CE9418700

Function 00007FF8B7E0AE2C Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

X509_get_default_cert_file_env.LIBCRYPTO-3 ref: 00007FF8B7E0AE4A
PyUnicode_DecodeFSDefault.PYTHON313 ref: 00007FF8B7E0AE6F
PyBytes_FromString.PYTHON313 ref: 00007FF8B7E0AE80
X509_get_default_cert_file.LIBCRYPTO-3 ref: 00007FF8B7E0AE92
PyUnicode_DecodeFSDefault.PYTHON313 ref: 00007FF8B7E0AEB5
PyBytes_FromString.PYTHON313 ref: 00007FF8B7E0AEC6
X509_get_default_cert_dir_env.LIBCRYPTO-3 ref: 00007FF8B7E0AED8
PyUnicode_DecodeFSDefault.PYTHON313 ref: 00007FF8B7E0AEFB
PyBytes_FromString.PYTHON313 ref: 00007FF8B7E0AF0C
X509_get_default_cert_dir.LIBCRYPTO-3 ref: 00007FF8B7E0AF1A
PyUnicode_DecodeFSDefault.PYTHON313 ref: 00007FF8B7E0AF3D
PyBytes_FromString.PYTHON313 ref: 00007FF8B7E0AF4E
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0AF70
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0AF89
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0AFA2
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0AFBB
Py_BuildValue.PYTHON313 ref: 00007FF8B7E0AFDA

Strings

NNNN, xrefs: 00007FF8B7E0AFD0

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Bytes_DeallocDecodeDefaultFromStringUnicode_$BuildValueX509_get_default_cert_dirX509_get_default_cert_dir_envX509_get_default_cert_fileX509_get_default_cert_file_env
String ID: NNNN
API String ID: 4174375237-3742719684
Opcode ID: 032c473e828f0bc6b170e89e1f0afbc80d132e03b2a375ae8234737ed893535b
Instruction ID: 6e75b9858eae4fecde1689c14c83c6740f083471de0e9c7c934ac05c9c1d39e2
Opcode Fuzzy Hash: 032c473e828f0bc6b170e89e1f0afbc80d132e03b2a375ae8234737ed893535b
Instruction Fuzzy Hash: 2551F871A0DB478EFA69AF2E951A27C63A0AF45FD5F084431DF4E467B0EE3DA4918700

Function 00007FF8A92D1942 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A92EFAB9
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92EFAD1
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92EFAE3
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92EFAFF
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92EFB17
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92EFB29

Strings

SSL_dane_enable, xrefs: 00007FF8A92EFABE, 00007FF8A92EFB04, 00007FF8A92EFB63, 00007FF8A92EFBB8, 00007FF8A92EFC27
..\s\ssl\ssl_lib.c, xrefs: 00007FF8A92EFACA, 00007FF8A92EFB10, 00007FF8A92EFB6F, 00007FF8A92EFBC4, 00007FF8A92EFC33

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: ..\s\ssl\ssl_lib.c$SSL_dane_enable
API String ID: 1552677711-2910236719
Opcode ID: a8bad8acbf6120621cfe3b6048791ddfa0484dac8b6e4f26ab7cc683a237509b
Instruction ID: 636c2ca54c5cb692c0f202d5d2a91f724271db8825be997df4dcfd4b47c0e8d9
Opcode Fuzzy Hash: a8bad8acbf6120621cfe3b6048791ddfa0484dac8b6e4f26ab7cc683a237509b
Instruction Fuzzy Hash: D4419651B1EDC262F7509F29E4417EA52A1DFC47D4F952235EA3C87BD6DE2CE4818B00

Function 00007FF8A92F9A10 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

BIO_s_file.LIBCRYPTO-3 ref: 00007FF8A92F9A3E
BIO_new.LIBCRYPTO-3 ref: 00007FF8A92F9A46
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92F9A53
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92F9A6B
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8A92F9A8B
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92F9A94
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92F9AAC
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92F9B82
BIO_free.LIBCRYPTO-3 ref: 00007FF8A92F9B8A

Strings

SSL_CTX_use_PrivateKey_file, xrefs: 00007FF8A92F9A58, 00007FF8A92F9A99, 00007FF8A92F9B20, 00007FF8A92F9B5D
..\s\ssl\ssl_rsa.c, xrefs: 00007FF8A92F9A64, 00007FF8A92F9AA5, 00007FF8A92F9B2C, 00007FF8A92F9B69

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug$O_ctrlO_freeO_newO_s_fileR_set_error
String ID: ..\s\ssl\ssl_rsa.c$SSL_CTX_use_PrivateKey_file
API String ID: 1899708915-2252211958
Opcode ID: d732b32f2e402c5161a9b4b3300df0eea3a63348ed082b006f49c7d29bad1551
Instruction ID: 49b4860b4a11ee5097f790b7c45462a0dc6c0a699ec24a84335582c600a658ea
Opcode Fuzzy Hash: d732b32f2e402c5161a9b4b3300df0eea3a63348ed082b006f49c7d29bad1551
Instruction Fuzzy Hash: F7418F25A0EEC6A1F650EF52D4112BA63E1EFC9BC0F445032E95E87B9ADE3CE5118B01

Function 00007FF8B7E01F00 Relevance: 30.2, APIs: 20, Instructions: 211COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON313(?,?,?,00007FF8B7E01EE2), ref: 00007FF8B7E01F0A
_Py_Dealloc.PYTHON313(?,?,?,00007FF8B7E01EE2), ref: 00007FF8B7E0206E
_Py_Dealloc.PYTHON313(?,?,?,00007FF8B7E01EE2), ref: 00007FF8B7E0208B
_Py_Dealloc.PYTHON313(?,?,?,00007FF8B7E01EE2), ref: 00007FF8B7E020F3
_Py_Dealloc.PYTHON313(?,?,?,00007FF8B7E01EE2), ref: 00007FF8B7E02116
_Py_Dealloc.PYTHON313(?,?,?,00007FF8B7E01EE2), ref: 00007FF8B7E02136
_Py_Dealloc.PYTHON313(?,?,?,00007FF8B7E01EE2), ref: 00007FF8B7E02141
_Py_Dealloc.PYTHON313(?,?,?,00007FF8B7E01EE2), ref: 00007FF8B7E03A60
_Py_Dealloc.PYTHON313(?,?,?,00007FF8B7E01EE2), ref: 00007FF8B7E03AEE

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Dealloc$Module_State
String ID:
API String ID: 3434497292-0
Opcode ID: d1c1dbf24fec21b2bb6e7b30edcdd044f1888cf31ee9492728a25eb4563faf1c
Instruction ID: c262eddc65dfd144859bee580d0bc3136590e71c1b25ce880da9d19843cdfc3a
Opcode Fuzzy Hash: d1c1dbf24fec21b2bb6e7b30edcdd044f1888cf31ee9492728a25eb4563faf1c
Instruction Fuzzy Hash: DE91C132A0AB42C9EA5A9F6C995617C33E8BF45FC9F284434CB0E4A5B5CF3EA551C310

Function 00007FF8B7E0AC0C Relevance: 30.2, APIs: 20, Instructions: 161encryptionCOMMON

Download Yara Rule

APIs

PySet_New.PYTHON313 ref: 00007FF8B7E0AC27

Part of subcall function 00007FF8B7E0CCDC: CertOpenStore.CRYPT32 ref: 00007FF8B7E0CD07

_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0AC5A
GetLastError.KERNEL32 ref: 00007FF8B7E0AC60
PyErr_SetFromWindowsErr.PYTHON313 ref: 00007FF8B7E0AC68
PyBytes_FromStringAndSize.PYTHON313 ref: 00007FF8B7E0AC7F
PyTuple_New.PYTHON313 ref: 00007FF8B7E0ACAA
PySet_Add.PYTHON313 ref: 00007FF8B7E0ACCC
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0ACE5
CertEnumCRLsInStore.CRYPT32 ref: 00007FF8B7E0ACF1
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0AD19
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0AD35
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0AD4E
CertFreeCRLContext.CRYPT32 ref: 00007FF8B7E0AD76
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0AD8F
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0ADA8
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0ADC1
CertCloseStore.CRYPT32 ref: 00007FF8B7E0ADCF
PySequence_List.PYTHON313 ref: 00007FF8B7E0ADEF
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0AE06

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Dealloc$Cert$Store$FromSet_$Bytes_CloseContextEnumErr_ErrorFreeLastListOpenSequence_SizeStringTuple_Windows
String ID:
API String ID: 2193414262-0
Opcode ID: e918e1c0eddfe07976633dd5ae524c922d6a439c169cdbef9b1a398d1dea870d
Instruction ID: 47d66a72224fa1138a50a3ada4f83941556da7cf5c045bf59fc53d30011a348a
Opcode Fuzzy Hash: e918e1c0eddfe07976633dd5ae524c922d6a439c169cdbef9b1a398d1dea870d
Instruction Fuzzy Hash: 5D51FD32E0DB5686FA696F29995613D32A5BF54FD6F184430CF0E4A7B4DE3CA445C700

Function 00007FF8B7E0C3D0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

PyGILState_Ensure.PYTHON313 ref: 00007FF8B7E0C3F4
SSL_get_ex_data.LIBSSL-3 ref: 00007FF8B7E0C403
PyUnicode_DecodeUTF8.PYTHON313 ref: 00007FF8B7E0C44D
PyErr_Clear.PYTHON313 ref: 00007FF8B7E0C46D
PyObject_CallFunctionObjArgs.PYTHON313 ref: 00007FF8B7E0C481
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0C498
PyArg_ParseTuple.PYTHON313 ref: 00007FF8B7E0C4D5
memcpy.VCRUNTIME140 ref: 00007FF8B7E0C50B
memcpy.VCRUNTIME140 ref: 00007FF8B7E0C520
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0C538
PyGILState_Release.PYTHON313 ref: 00007FF8B7E0C540
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0C55A
PyErr_Occurred.PYTHON313 ref: 00007FF8B7E0C560
PyErr_WriteUnraisable.PYTHON313 ref: 00007FF8B7E0C56E
PyGILState_Release.PYTHON313 ref: 00007FF8B7E0C576

Strings

strict, xrefs: 00007FF8B7E0C443
z#y#, xrefs: 00007FF8B7E0C4CE

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: DeallocErr_State_$Releasememcpy$Arg_ArgsCallClearDecodeEnsureFunctionL_get_ex_dataObject_OccurredParseTupleUnicode_UnraisableWrite
String ID: strict$z#y#
API String ID: 311804506-2662034392
Opcode ID: 1db957280277213e8634e1e9bf35a161e2a8030f33213582c3943b94ad45a2c4
Instruction ID: 29eb346d8bd4474c1c0d9ceb7c91ce5802d39dd58466aecf9117f08612b47ab3
Opcode Fuzzy Hash: 1db957280277213e8634e1e9bf35a161e2a8030f33213582c3943b94ad45a2c4
Instruction Fuzzy Hash: DA512836A09B8286EB659B19E9462BD63A1FF85FD0F484132DB4E07AF4DF3CE4458700

Function 00007FF8B7E07860 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

PyList_New.PYTHON313 ref: 00007FF8B7E07882
SSL_CTX_get_cert_store.LIBSSL-3 ref: 00007FF8B7E0789B
PyErr_SetString.PYTHON313 ref: 00007FF8B7E078C2
OPENSSL_sk_pop_free.LIBCRYPTO-3 ref: 00007FF8B7E078D2
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E078EB
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E078FF
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B7E0790C
OPENSSL_sk_value.LIBCRYPTO-3 ref: 00007FF8B7E0791F
X509_OBJECT_get_type.LIBCRYPTO-3 ref: 00007FF8B7E0792B
X509_OBJECT_get0_X509.LIBCRYPTO-3 ref: 00007FF8B7E07939
X509_check_ca.LIBCRYPTO-3 ref: 00007FF8B7E07945
PyList_Append.PYTHON313 ref: 00007FF8B7E07979
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E07996

Part of subcall function 00007FF8B7E05124: i2d_X509.LIBCRYPTO-3 ref: 00007FF8B7E0513E

OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B7E079A1
OPENSSL_sk_pop_free.LIBCRYPTO-3 ref: 00007FF8B7E079B9

Strings

failed to query cert store, xrefs: 00007FF8B7E078B8

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Dealloc$L_sk_numL_sk_pop_freeList_X509X509_$AppendErr_L_sk_valueStringT_get0_T_get_typeX509_check_caX_get_cert_storei2d_
String ID: failed to query cert store
API String ID: 188430245-2018196157
Opcode ID: 9f58d72f5043f4a77739f044f7fad408f5277e3bc70f8ede24724514f4ba459f
Instruction ID: 17d8ecd28ebbfd54e37977ed419b5a6fb86648219b271c5c2ae3ccd347c0ad1e
Opcode Fuzzy Hash: 9f58d72f5043f4a77739f044f7fad408f5277e3bc70f8ede24724514f4ba459f
Instruction Fuzzy Hash: F4410821E0CB5385FE58AB2EA85A23D23A0AF89FD5F484434DF0E5A7B4DE3CE4458310

Function 00007FF8B7E048D4 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 83threadCOMMON

Download Yara Rule

APIs

SSL_CTX_set_keylog_callback.LIBSSL-3 ref: 00007FF8B7E048F4
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E04913
PyEval_SaveThread.PYTHON313 ref: 00007FF8B7E04927
BIO_free_all.LIBCRYPTO-3 ref: 00007FF8B7E04933
PyEval_RestoreThread.PYTHON313 ref: 00007FF8B7E0493C
_Py_fopen_obj.PYTHON313 ref: 00007FF8B7E04959
BIO_new_fp.LIBCRYPTO-3 ref: 00007FF8B7E04974
PyErr_SetString.PYTHON313 ref: 00007FF8B7E04992
PyEval_SaveThread.PYTHON313 ref: 00007FF8B7E049A7
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B7E049BF
BIO_puts.LIBCRYPTO-3 ref: 00007FF8B7E049D4
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B7E049E8
PyEval_RestoreThread.PYTHON313 ref: 00007FF8B7E049F1
SSL_CTX_set_keylog_callback.LIBSSL-3 ref: 00007FF8B7E04A02

Strings

Can't malloc memory for keylog file, xrefs: 00007FF8B7E04987
# TLS secrets log file, generated by OpenSSL / Python, xrefs: 00007FF8B7E049CD

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Eval_Thread$O_ctrlRestoreSaveX_set_keylog_callback$DeallocErr_O_free_allO_new_fpO_putsPy_fopen_objString
String ID: # TLS secrets log file, generated by OpenSSL / Python$Can't malloc memory for keylog file
API String ID: 2661017659-2802485923
Opcode ID: 42a3683c5aa870652923aad6b5c5ef51efa3d8cb7b16485fd5bb64a3a23b1a0a
Instruction ID: f3b350b909ec6131205965ba7432f4ed731b9914bd0e86266f11445b2f3389fd
Opcode Fuzzy Hash: 42a3683c5aa870652923aad6b5c5ef51efa3d8cb7b16485fd5bb64a3a23b1a0a
Instruction Fuzzy Hash: D9410576A08B4286EA58AB29E95666D23A0FF8AFC4F444430DB4E47A74DF3CE4658710

Function 00007FF8B7E059CC Relevance: 27.1, APIs: 18, Instructions: 111COMMON

Download Yara Rule

APIs

X509_get_ext_d2i.LIBCRYPTO-3(00000000,00000000,00000000,00007FF8B7E058D3), ref: 00007FF8B7E059F2
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B7E05A03
AUTHORITY_INFO_ACCESS_free.LIBCRYPTO-3 ref: 00007FF8B7E05A10
PyList_New.PYTHON313 ref: 00007FF8B7E05A38
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B7E05A4F
OPENSSL_sk_value.LIBCRYPTO-3 ref: 00007FF8B7E05A5E
OBJ_obj2nid.LIBCRYPTO-3 ref: 00007FF8B7E05A6A
PyUnicode_FromStringAndSize.PYTHON313 ref: 00007FF8B7E05A89
PyList_Append.PYTHON313 ref: 00007FF8B7E05AA1
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E05AB8
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B7E05AC8
AUTHORITY_INFO_ACCESS_free.LIBCRYPTO-3 ref: 00007FF8B7E05AD5
PyList_Size.PYTHON313 ref: 00007FF8B7E05ADE
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E05AFE
PyList_AsTuple.PYTHON313 ref: 00007FF8B7E05B0C
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E05B23
AUTHORITY_INFO_ACCESS_free.LIBCRYPTO-3 ref: 00007FF8B7E05B34
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E05B4D

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: DeallocList_$L_sk_numS_free$Size$AppendFromJ_obj2nidL_sk_valueStringTupleUnicode_X509_get_ext_d2i
String ID:
API String ID: 230305477-0
Opcode ID: 5f4787f238d784b37eba2f6d2076294fc9d45f18871587789bbf7c08a8189ad0
Instruction ID: d1b6c1513bd4053a7ec27558ab41a89a707be8033949d8b7127188fc4735687b
Opcode Fuzzy Hash: 5f4787f238d784b37eba2f6d2076294fc9d45f18871587789bbf7c08a8189ad0
Instruction Fuzzy Hash: EE41FE21A0DB428AFB586F2AA95663D23A1AF45FD1F084834DF4E477B4EF3CE4558700

Function 00007FF8B7E0C598 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

PyGILState_Ensure.PYTHON313 ref: 00007FF8B7E0C5BC
SSL_get_ex_data.LIBSSL-3 ref: 00007FF8B7E0C5CB
PyUnicode_DecodeUTF8.PYTHON313 ref: 00007FF8B7E0C609
PyErr_Clear.PYTHON313 ref: 00007FF8B7E0C629
PyErr_Occurred.PYTHON313 ref: 00007FF8B7E0C62F
PyErr_WriteUnraisable.PYTHON313 ref: 00007FF8B7E0C63D
PyGILState_Release.PYTHON313 ref: 00007FF8B7E0C645
PyObject_CallFunctionObjArgs.PYTHON313 ref: 00007FF8B7E0C66F
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0C686
PyBytes_AsStringAndSize.PYTHON313 ref: 00007FF8B7E0C69E
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0C6BA
memcpy.VCRUNTIME140 ref: 00007FF8B7E0C6D7
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0C6EA
PyGILState_Release.PYTHON313 ref: 00007FF8B7E0C6F2

Strings

strict, xrefs: 00007FF8B7E0C5FF

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: DeallocErr_State_$Release$ArgsBytes_CallClearDecodeEnsureFunctionL_get_ex_dataObject_OccurredSizeStringUnicode_UnraisableWritememcpy
String ID: strict
API String ID: 2715601981-2947452218
Opcode ID: af8754b6a7bd68e6efc654d07af751e36593f3bbb5de335a690df0e86b8cdc0c
Instruction ID: 69d97ec402366625b91eba6bdc64c8c031cbe8606d8e53faccd6227c05e765b8
Opcode Fuzzy Hash: af8754b6a7bd68e6efc654d07af751e36593f3bbb5de335a690df0e86b8cdc0c
Instruction Fuzzy Hash: 39414E75A08B9286FB65AF29B9162BD63A1AF54FD0F086132DB0E066F4DF3CE4418701

Function 00007FF8B7E07694 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 74COMMON

Download Yara Rule

APIs

SSL_CTX_get_cert_store.LIBSSL-3 ref: 00007FF8B7E076BF

Part of subcall function 00007FF8B7E04844: X509_STORE_lock.LIBCRYPTO-3 ref: 00007FF8B7E04851

PyErr_SetString.PYTHON313 ref: 00007FF8B7E076E6
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B7E076F8
OPENSSL_sk_value.LIBCRYPTO-3 ref: 00007FF8B7E07707
X509_OBJECT_get_type.LIBCRYPTO-3 ref: 00007FF8B7E07713
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B7E07747
OPENSSL_sk_pop_free.LIBCRYPTO-3 ref: 00007FF8B7E0775B
Py_BuildValue.PYTHON313 ref: 00007FF8B7E0778D

Strings

failed to query cert store, xrefs: 00007FF8B7E076DC
{sisisi}, xrefs: 00007FF8B7E07786
x509_ca, xrefs: 00007FF8B7E07761
x509, xrefs: 00007FF8B7E0777F
crl, xrefs: 00007FF8B7E07771

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: L_sk_numX509_$BuildE_lockErr_L_sk_pop_freeL_sk_valueStringT_get_typeValueX_get_cert_store
String ID: crl$failed to query cert store$x509$x509_ca${sisisi}
API String ID: 2783361091-466295505
Opcode ID: 210b12b46044572f4f71ec99b46b66d010804930581be482105c05b28423a3dc
Instruction ID: 86bfc04bfcef634054f61891dd548fd56688f2a0853b3af0ea6d0fcfa770dff4
Opcode Fuzzy Hash: 210b12b46044572f4f71ec99b46b66d010804930581be482105c05b28423a3dc
Instruction Fuzzy Hash: CB314525A08B4385EA14AF2EA85A13E67A0FF84FC5F480435DF4E97774DE3CE4858740

Function 00007FF8B7E068DC Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

PyType_GetModuleState.PYTHON313 ref: 00007FF8B7E068F9
BIO_s_mem.LIBCRYPTO-3 ref: 00007FF8B7E06902
BIO_new.LIBCRYPTO-3 ref: 00007FF8B7E0690B
PyErr_SetString.PYTHON313 ref: 00007FF8B7E06924
PyErr_SetString.PYTHON313 ref: 00007FF8B7E06956
BIO_free.LIBCRYPTO-3 ref: 00007FF8B7E0695F
PEM_write_bio_X509_AUX.LIBCRYPTO-3 ref: 00007FF8B7E0696E
i2d_X509_bio.LIBCRYPTO-3 ref: 00007FF8B7E0697D

Part of subcall function 00007FF8B7E04BD8: BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B7E04BFA
Part of subcall function 00007FF8B7E04BD8: PyUnicode_DecodeUTF8.PYTHON313 ref: 00007FF8B7E04C14

BIO_free.LIBCRYPTO-3 ref: 00007FF8B7E0699A

Part of subcall function 00007FF8B7E06750: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B7E06768
Part of subcall function 00007FF8B7E06750: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E06791

BIO_free.LIBCRYPTO-3 ref: 00007FF8B7E069DB

Strings

Unsupported format, xrefs: 00007FF8B7E0694C
failed to allocate BIO, xrefs: 00007FF8B7E0691D
error, xrefs: 00007FF8B7E069C9
i, xrefs: 00007FF8B7E069A3

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: O_free$Err_String$DecodeM_write_bio_ModuleO_ctrlO_newO_s_memR_clear_errorR_peek_last_errorStateType_Unicode_X509_X509_bioi2d_
String ID: Unsupported format$error$failed to allocate BIO$i
API String ID: 629801032-3389475273
Opcode ID: 69a0675d22238ffb3857046effb7112bb3342cfa8d73a8e49b98f56abdce4b24
Instruction ID: 3bd830d49567151bc131e84c1c3056e4a7c9a74803b2c1eab1208944ebee8610
Opcode Fuzzy Hash: 69a0675d22238ffb3857046effb7112bb3342cfa8d73a8e49b98f56abdce4b24
Instruction Fuzzy Hash: A531E965A08B4386EA64AB2EA81613D6361FF89FC4F989475DB4F07B78DF3CE4458700

Function 00007FF8B7E02724 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 67COMMON

Download Yara Rule

APIs

OpenSSL_version_num.LIBCRYPTO-3 ref: 00007FF8B7E02736
PyLong_FromUnsignedLong.PYTHON313 ref: 00007FF8B7E02740
PyModule_Add.PYTHON313 ref: 00007FF8B7E02753
Py_BuildValue.PYTHON313 ref: 00007FF8B7E02791
PyModule_Add.PYTHON313 ref: 00007FF8B7E027A4
OpenSSL_version.LIBCRYPTO-3 ref: 00007FF8B7E027B0
PyUnicode_FromString.PYTHON313 ref: 00007FF8B7E027B9
PyModule_Add.PYTHON313 ref: 00007FF8B7E027CC
Py_BuildValue.PYTHON313 ref: 00007FF8B7E027F2
PyModule_Add.PYTHON313 ref: 00007FF8B7E02805

Strings

IIIII, xrefs: 00007FF8B7E0277A, 00007FF8B7E027EB
OPENSSL_VERSION_NUMBER, xrefs: 00007FF8B7E02746
OPENSSL_VERSION_INFO, xrefs: 00007FF8B7E02797
OPENSSL_VERSION, xrefs: 00007FF8B7E027BF
_OPENSSL_API_VERSION, xrefs: 00007FF8B7E027F8

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Module_$BuildFromOpenValue$L_versionL_version_numLongLong_StringUnicode_Unsigned
String ID: IIIII$OPENSSL_VERSION$OPENSSL_VERSION_INFO$OPENSSL_VERSION_NUMBER$_OPENSSL_API_VERSION
API String ID: 2199365590-595941748
Opcode ID: 5d847c3aa5937299440ca4f194db71bda3ca08f796674df5844a2f2570db2675
Instruction ID: 578b4ebbe87f9a9a73268aa7f5f0c03ec79dbbe6c138f0ca2624a1da01668658
Opcode Fuzzy Hash: 5d847c3aa5937299440ca4f194db71bda3ca08f796674df5844a2f2570db2675
Instruction Fuzzy Hash: EC218D61F1875386FB109BA9F85656D27A4BF85FC4B840535CB0E8BAB4EE3CE1598700

Function 00007FF8B7E040A0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 140COMMON

Download Yara Rule

APIs

ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B7E040D3
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E04167
PyErr_SetFromWindowsErr.PYTHON313 ref: 00007FF8B7E04173
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E04290

Strings

Invalid error code, xrefs: 00007FF8B7E04130
The operation did not complete (read), xrefs: 00007FF8B7E04201
The operation did not complete (connect), xrefs: 00007FF8B7E04141
The operation did not complete (X509 lookup), xrefs: 00007FF8B7E041DF
The operation did not complete (write), xrefs: 00007FF8B7E041EF
A failure in the SSL library occurred, xrefs: 00007FF8B7E04212
EOF occurred in violation of protocol, xrefs: 00007FF8B7E0425F
TLS/SSL connection has been closed (EOF), xrefs: 00007FF8B7E04151

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: R_clear_error$Err_FromR_peek_last_errorWindows
String ID: A failure in the SSL library occurred$EOF occurred in violation of protocol$Invalid error code$TLS/SSL connection has been closed (EOF)$The operation did not complete (X509 lookup)$The operation did not complete (connect)$The operation did not complete (read)$The operation did not complete (write)
API String ID: 3217158973-1267225647
Opcode ID: 747eecee00842421dbf085f5fa030deca4485e5e0271aaf1937855ad2a4ce953
Instruction ID: ab4ac370d4969ea5a225fb69edea635fcf8cb0c4cd36feadd02949dd1469b911
Opcode Fuzzy Hash: 747eecee00842421dbf085f5fa030deca4485e5e0271aaf1937855ad2a4ce953
Instruction Fuzzy Hash: 52514A32B0874686EA508F29A90627E2662FF8AFD4F690131DB4D537B4CE3DE9458350

Function 00007FF8B7E0A608 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 103COMMON

Download Yara Rule

APIs

a2i_IPADDRESS.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E0C197,?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0A64D
ERR_clear_error.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E0C197,?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0A65B
PyUnicode_Decode.PYTHON313(?,?,?,?,?,00007FF8B7E0C197,?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0A675
SSL_ctrl.LIBSSL-3(?,?,?,?,?,00007FF8B7E0C197,?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0A69A
SSL_get0_param.LIBSSL-3(?,?,?,?,?,00007FF8B7E0C197,?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0A6D1
X509_VERIFY_PARAM_set1_host.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E0C197,?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0A6F2
ASN1_STRING_length.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E0C197,?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0A709
ASN1_STRING_get0_data.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E0C197,?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0A715
X509_VERIFY_PARAM_set1_ip.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E0C197,?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0A724
ASN1_OCTET_STRING_free.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E0C197,?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0A754
PyErr_SetString.PYTHON313(?,?,?,?,?,00007FF8B7E0C197,?,?,00007FF8A8E161F0,?,?,?,00000000,00007FF8B7E07459), ref: 00007FF8B7E0A76D

Strings

server_hostname cannot be an empty string or start with a leading dot., xrefs: 00007FF8B7E0A763
strict, xrefs: 00007FF8B7E0A661
ascii, xrefs: 00007FF8B7E0A66B

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: X509_$DecodeErr_G_freeG_get0_dataG_lengthL_ctrlL_get0_paramM_set1_hostM_set1_ipR_clear_errorStringUnicode_a2i_
String ID: ascii$server_hostname cannot be an empty string or start with a leading dot.$strict
API String ID: 2286705765-138613600
Opcode ID: 1ea829d55e4375760725cbdb57b3cee05c0c2d1ad15e14c1cda70ebc659e97dd
Instruction ID: f67ad3b94638a743ed238a9e7b6989a4dd6319ce2184a336722382085f023098
Opcode Fuzzy Hash: 1ea829d55e4375760725cbdb57b3cee05c0c2d1ad15e14c1cda70ebc659e97dd
Instruction Fuzzy Hash: 00412925A0CB4686EA659F2AA41A23D77A1FF88FD4F088535CB4E47BB0DF7CE4458700

Function 00007FF8B7E04C94 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

PyGILState_Ensure.PYTHON313 ref: 00007FF8B7E04CB2
SSL_get_ex_data.LIBSSL-3 ref: 00007FF8B7E04CBF
PyEval_SaveThread.PYTHON313 ref: 00007FF8B7E04CE2
PyThread_acquire_lock.PYTHON313 ref: 00007FF8B7E04CF3
BIO_printf.LIBCRYPTO-3 ref: 00007FF8B7E04D0B
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B7E04D13
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B7E04D2E
PyThread_release_lock.PYTHON313 ref: 00007FF8B7E04D37
PyEval_RestoreThread.PYTHON313 ref: 00007FF8B7E04D40
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B7E04D4B
PyErr_SetFromErrnoWithFilenameObject.PYTHON313 ref: 00007FF8B7E04D66
PyErr_GetRaisedException.PYTHON313 ref: 00007FF8B7E04D6C
PyGILState_Release.PYTHON313 ref: 00007FF8B7E04D78

Strings

%s, xrefs: 00007FF8B7E04CFD

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_Eval_State_Thread_errno$EnsureErrnoExceptionFilenameFromL_get_ex_dataO_ctrlO_printfObjectRaisedReleaseRestoreSaveThread_acquire_lockThread_release_lockWith
String ID: %s
API String ID: 1935682029-620797490
Opcode ID: 4d49ce8044cdadc09d0cdf434700ec7917c011ea5cb55485322d916b8af290bf
Instruction ID: 8bdf26761c69361cb46c7c5ee65dbea92ad80573d7fac782749b2fc96fd3c505
Opcode Fuzzy Hash: 4d49ce8044cdadc09d0cdf434700ec7917c011ea5cb55485322d916b8af290bf
Instruction Fuzzy Hash: 0321F636A08B4286E664AB6AE85522D3761FF89FD0F444531DF4E43B35DF3CE4458700

Function 00007FF8B7E0A520 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON313(?,?,?,00007FF8B7E0A50D), ref: 00007FF8B7E0A538
BIO_s_file.LIBCRYPTO-3(?,?,?,00007FF8B7E0A50D), ref: 00007FF8B7E0A541
BIO_new.LIBCRYPTO-3(?,?,?,00007FF8B7E0A50D), ref: 00007FF8B7E0A54A
PyErr_SetString.PYTHON313(?,?,?,00007FF8B7E0A50D), ref: 00007FF8B7E0A563
PyBytes_AsString.PYTHON313(?,?,?,00007FF8B7E0A50D), ref: 00007FF8B7E0A56E
BIO_ctrl.LIBCRYPTO-3(?,?,?,00007FF8B7E0A50D), ref: 00007FF8B7E0A583
PEM_read_bio_X509.LIBCRYPTO-3(?,?,?,00007FF8B7E0A50D), ref: 00007FF8B7E0A5A1
X509_free.LIBCRYPTO-3(?,?,?,00007FF8B7E0A50D), ref: 00007FF8B7E0A5C9
_Py_Dealloc.PYTHON313(?,?,?,00007FF8B7E0A50D), ref: 00007FF8B7E0A5DD
BIO_free.LIBCRYPTO-3(?,?,?,00007FF8B7E0A50D), ref: 00007FF8B7E0A5EB

Strings

Can't open file, xrefs: 00007FF8B7E0A58D
Can't malloc memory to read file, xrefs: 00007FF8B7E0A558
Error decoding PEM-encoded file, xrefs: 00007FF8B7E0A5AF

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: String$Bytes_DeallocErr_M_read_bio_Module_O_ctrlO_freeO_newO_s_fileStateX509X509_free
String ID: Can't malloc memory to read file$Can't open file$Error decoding PEM-encoded file
API String ID: 2561677103-2145957498
Opcode ID: 4cff0949277391f5e37073a80afc428d94399d267755797670cbf992b078d810
Instruction ID: c39c2657c7b252821ca965a27a4474517413cd79c99f50bdcaa27cf31a7a557d
Opcode Fuzzy Hash: 4cff0949277391f5e37073a80afc428d94399d267755797670cbf992b078d810
Instruction Fuzzy Hash: 66212921A0DB4686FA29AB6EA95A27D67A1BF49FD1F444030DF0E07B74EE3CE4458700

Function 00007FF8B7E01000 Relevance: 21.1, APIs: 14, Instructions: 117COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON313 ref: 00007FF8B7E01012
PyDict_New.PYTHON313 ref: 00007FF8B7E0101B
PyDict_New.PYTHON313 ref: 00007FF8B7E0102E
PyUnicode_FromString.PYTHON313 ref: 00007FF8B7E01063
Py_BuildValue.PYTHON313 ref: 00007FF8B7E01082
PyDict_SetItem.PYTHON313 ref: 00007FF8B7E0109E
PyLong_FromLong.PYTHON313 ref: 00007FF8B7E010F3
PyUnicode_FromString.PYTHON313 ref: 00007FF8B7E010FF
PyDict_SetItem.PYTHON313 ref: 00007FF8B7E0111C
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E039FB
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E03A2C

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Dict_$From$DeallocItemStringUnicode_$BuildLongLong_Module_StateValue
String ID:
API String ID: 4070576976-0
Opcode ID: 2f580570dadecae92c3f8d5133122cd99a9884c04237f7c08c2005058d65d428
Instruction ID: 9e396bf90155073b0f4582c332dd5d9cec127534ccea8f8050e5f54cca93d3ef
Opcode Fuzzy Hash: 2f580570dadecae92c3f8d5133122cd99a9884c04237f7c08c2005058d65d428
Instruction Fuzzy Hash: DD41E835A09B4386FB69AF19A85637D22A4BF4AFC5F084434DB4D4A7B5EF3CA4548340

Function 00007FF8B7E05B5C Relevance: 21.1, APIs: 14, Instructions: 101COMMON

Download Yara Rule

APIs

X509_get_ext_d2i.LIBCRYPTO-3(?,?,00000000,00007FF8B7E05974), ref: 00007FF8B7E05B83
PyList_New.PYTHON313(?,?,00000000,00007FF8B7E05974), ref: 00007FF8B7E05B9F
OPENSSL_sk_num.LIBCRYPTO-3(?,?,00000000,00007FF8B7E05974), ref: 00007FF8B7E05BB7
OPENSSL_sk_value.LIBCRYPTO-3(?,?,00000000,00007FF8B7E05974), ref: 00007FF8B7E05BCB
OPENSSL_sk_num.LIBCRYPTO-3(?,?,00000000,00007FF8B7E05974), ref: 00007FF8B7E05BE3
OPENSSL_sk_value.LIBCRYPTO-3(?,?,00000000,00007FF8B7E05974), ref: 00007FF8B7E05BF3
PyUnicode_FromStringAndSize.PYTHON313(?,?,00000000,00007FF8B7E05974), ref: 00007FF8B7E05C09
PyList_Append.PYTHON313(?,?,00000000,00007FF8B7E05974), ref: 00007FF8B7E05C1D
_Py_Dealloc.PYTHON313(?,?,00000000,00007FF8B7E05974), ref: 00007FF8B7E05C33
OPENSSL_sk_num.LIBCRYPTO-3(?,?,00000000,00007FF8B7E05974), ref: 00007FF8B7E05C44
OPENSSL_sk_num.LIBCRYPTO-3(?,?,00000000,00007FF8B7E05974), ref: 00007FF8B7E05C55
PyList_AsTuple.PYTHON313(?,?,00000000,00007FF8B7E05974), ref: 00007FF8B7E05C6D
_Py_Dealloc.PYTHON313(?,?,00000000,00007FF8B7E05974), ref: 00007FF8B7E05C8D
CRL_DIST_POINTS_free.LIBCRYPTO-3(?,?,00000000,00007FF8B7E05974), ref: 00007FF8B7E05C96

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: L_sk_num$List_$DeallocL_sk_value$AppendFromS_freeSizeStringTupleUnicode_X509_get_ext_d2i
String ID:
API String ID: 3668485020-0
Opcode ID: d903ec9832bbd2f6dd33dbfaa78e45da9855e2f592df6336c9e26f94e30de93d
Instruction ID: a8ed0a4c75e1fefbdfee38d145cfcbdf0b89c068e86b10566d5c0fe8ca1bd002
Opcode Fuzzy Hash: d903ec9832bbd2f6dd33dbfaa78e45da9855e2f592df6336c9e26f94e30de93d
Instruction Fuzzy Hash: 04410931A09B4689FA58AF2AA99693D23A1BF84FD5F484439DF0F467B4DF3CE4418710

Function 00007FF8B7E0B0D8 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

i2d_SSL_SESSION.LIBSSL-3(?,?,?,00007FF8B7E04441), ref: 00007FF8B7E0B0FD
PyMem_Malloc.PYTHON313(?,?,?,00007FF8B7E04441), ref: 00007FF8B7E0B11D
PyErr_NoMemory.PYTHON313(?,?,?,00007FF8B7E04441), ref: 00007FF8B7E0B12B
PyErr_SetString.PYTHON313(?,?,?,00007FF8B7E04441), ref: 00007FF8B7E0B1B4

Strings

i2d() failed, xrefs: 00007FF8B7E0B14D, 00007FF8B7E0B1A3
d2i() failed, xrefs: 00007FF8B7E0B173
Invalid session, xrefs: 00007FF8B7E0B0EF

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_$MallocMem_MemoryStringi2d_
String ID: Invalid session$d2i() failed$i2d() failed
API String ID: 982646903-2456513230
Opcode ID: 33a7dc787c36e9b63cca3cdc2e92e7e5f0dba77eab5b34a57bf372c5a7e5040c
Instruction ID: b932f8fa4821c26cd0e2287ade33ed252c41af6bbb428eb1e70be7a9b3d068ba
Opcode Fuzzy Hash: 33a7dc787c36e9b63cca3cdc2e92e7e5f0dba77eab5b34a57bf372c5a7e5040c
Instruction Fuzzy Hash: 3F21E625A1DB4281FA68AB1EE89613E63B2FF88FD0B545435DB4E47A74EF3CE4458700

Function 00007FF8B7E03FC8 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON313 ref: 00007FF8B7E03FF2
PyBytes_FromStringAndSize.PYTHON313 ref: 00007FF8B7E04002
RAND_bytes.LIBCRYPTO-3 ref: 00007FF8B7E04016

Strings

(ks), xrefs: 00007FF8B7E0404C
num must be positive, xrefs: 00007FF8B7E03FE8

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: String$Bytes_D_bytesErr_FromSize
String ID: (ks)$num must be positive
API String ID: 574210595-3708576348
Opcode ID: b7e4ef26f4134154d151b764a8479846e705c9ca53a204c3a9fce73e237e3f66
Instruction ID: ebc0e5fe6bbfb6292e57b60bb6ce4c7d7ae1adade0c9a7f3eb40e6ac2ab9adbf
Opcode Fuzzy Hash: b7e4ef26f4134154d151b764a8479846e705c9ca53a204c3a9fce73e237e3f66
Instruction Fuzzy Hash: D3214F21E08B5286FB58AF29EA5613D23A0BF8AFD9F044434CB4E967B4DF7DE4458301

Function 00007FF8B7E0C2AC Relevance: 19.6, APIs: 13, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CertGetEnhancedKeyUsage.CRYPT32 ref: 00007FF8B7E0C2CB
PyMem_Malloc.PYTHON313(?,00007FF8B7E0A923), ref: 00007FF8B7E0C2D9
PyErr_NoMemory.PYTHON313(?,00007FF8B7E0A923), ref: 00007FF8B7E0C2E7
CertGetEnhancedKeyUsage.CRYPT32 ref: 00007FF8B7E0C30C
PyMem_Free.PYTHON313(?,00007FF8B7E0A923), ref: 00007FF8B7E0C319
GetLastError.KERNEL32(?,00007FF8B7E0A923), ref: 00007FF8B7E0C31F
PyFrozenSet_New.PYTHON313(?,00007FF8B7E0A923), ref: 00007FF8B7E0C33A
PyUnicode_FromString.PYTHON313(?,00007FF8B7E0A923), ref: 00007FF8B7E0C35B
PySet_Add.PYTHON313(?,00007FF8B7E0A923), ref: 00007FF8B7E0C36F
_Py_Dealloc.PYTHON313(?,00007FF8B7E0A923), ref: 00007FF8B7E0C386
PyMem_Free.PYTHON313(?,00007FF8B7E0A923), ref: 00007FF8B7E0C3B2

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Mem_$CertEnhancedFreeSet_Usage$DeallocErr_ErrorFromFrozenLastMallocMemoryStringUnicode_
String ID:
API String ID: 2458427691-0
Opcode ID: 2cd6634cda7950ea608b26807c57f45d5ce5584d3dae50a6d6ae09d557c1b1f0
Instruction ID: d277e9581ffeaa53c4730c3cac39ea60e3a130609de4a53aa1ac09f47dd344bf
Opcode Fuzzy Hash: 2cd6634cda7950ea608b26807c57f45d5ce5584d3dae50a6d6ae09d557c1b1f0
Instruction Fuzzy Hash: 97314D21A19B4286FB54AF6EA80617D63A0BF89FD5F084476CB4E027F0DE3CE4468310

Function 00007FF8A92D19EC Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8A932E5F0
OPENSSL_sk_value.LIBCRYPTO-3 ref: 00007FF8A932E62B
ERR_new.LIBCRYPTO-3 ref: 00007FF8A932E654
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A932E66C

Strings

..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FF8A932E665, 00007FF8A932E6FD, 00007FF8A932E725
tls_parse_ctos_use_srtp, xrefs: 00007FF8A932E659, 00007FF8A932E6B5, 00007FF8A932E6F1, 00007FF8A932E719

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: L_sk_numL_sk_valueR_newR_set_debug
String ID: ..\s\ssl\statem\extensions_srvr.c$tls_parse_ctos_use_srtp
API String ID: 2660725122-2269544924
Opcode ID: 596797ce5974bdd948c3c6290542a7b9493a0efd42c17216aafb9146e75077b5
Instruction ID: ccb2982223bccf2af931f4ff3efe53991f2971125c37d8fef00c349ae7ade2c2
Opcode Fuzzy Hash: 596797ce5974bdd948c3c6290542a7b9493a0efd42c17216aafb9146e75077b5
Instruction Fuzzy Hash: DC51E372A0EED2A1E724DF51E4452BA73B9EF947D0F469132EA6C87B85DE3CE4408700

Function 00007FF8B7E04D98 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

PyGILState_Ensure.PYTHON313 ref: 00007FF8B7E04DBB
SSL_get_ex_data.LIBSSL-3 ref: 00007FF8B7E04DCE
PyWeakref_GetRef.PYTHON313 ref: 00007FF8B7E04E00
PyObject_CallFunction.PYTHON313 ref: 00007FF8B7E04EA3
PyErr_GetRaisedException.PYTHON313 ref: 00007FF8B7E04EB1
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E04EC8
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E04EE6
PyGILState_Release.PYTHON313 ref: 00007FF8B7E04EEF

Strings

Osiiiy#, xrefs: 00007FF8B7E04E94
write, xrefs: 00007FF8B7E04E6C
read, xrefs: 00007FF8B7E04E5D

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: DeallocState_$CallEnsureErr_ExceptionFunctionL_get_ex_dataObject_RaisedReleaseWeakref_
String ID: Osiiiy#$read$write
API String ID: 2599993526-708132800
Opcode ID: fcf4876ca1440b85ffa8ebe9e414243a16b4576460f3782f7e1249d237f64eba
Instruction ID: 39cee090221974e0db02022a613e30c359216d43a0bbbfdecfc4bcb48f555f0f
Opcode Fuzzy Hash: fcf4876ca1440b85ffa8ebe9e414243a16b4576460f3782f7e1249d237f64eba
Instruction Fuzzy Hash: 7E418A36908B8286E6699F29A91527D77A0FF86F80F044136DB4E87BB4CF3CE4428710

Function 00007FF8B7E0C7B8 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 97COMMON

Download Yara Rule

APIs

PyArg_Parse.PYTHON313 ref: 00007FF8B7E0C7EB
PyErr_SetString.PYTHON313 ref: 00007FF8B7E0C81D
PyErr_Format.PYTHON313 ref: 00007FF8B7E0C887
PyErr_WarnEx.PYTHON313 ref: 00007FF8B7E0C8B5
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B7E0C915

Strings

The context's protocol doesn't support modification of highest and lowest version., xrefs: 00007FF8B7E0C813
ssl.TLSVersion.TLSv1_1 is deprecated, xrefs: 00007FF8B7E0C88F
Unsupported TLS/SSL version 0x%x, xrefs: 00007FF8B7E0C876
ssl.TLSVersion.TLSv1 is deprecated, xrefs: 00007FF8B7E0C898
Unsupported protocol version 0x%x, xrefs: 00007FF8B7E0C924
ssl.TLSVersion.SSLv3 is deprecated, xrefs: 00007FF8B7E0C8A1

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_$Arg_FormatParseStringWarnX_ctrl
String ID: The context's protocol doesn't support modification of highest and lowest version.$Unsupported TLS/SSL version 0x%x$Unsupported protocol version 0x%x$ssl.TLSVersion.SSLv3 is deprecated$ssl.TLSVersion.TLSv1 is deprecated$ssl.TLSVersion.TLSv1_1 is deprecated
API String ID: 3279334173-3879554506
Opcode ID: 91ac4c308643b8c7215cc0744572f8430fb83311e0c191197f64f9fa85b5f0ab
Instruction ID: 1ba7641bc7d7b175b05d408d6332c967de4926f94aeff6f7692fe57e0d1dde93
Opcode Fuzzy Hash: 91ac4c308643b8c7215cc0744572f8430fb83311e0c191197f64f9fa85b5f0ab
Instruction Fuzzy Hash: EB417C21B1C71285FAB18B1DD8569BD2260AF45FC0F645132CB1E4AEF4CE2EF9858B14

Function 00007FF8B7E06374 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

PyUnicode_AsUTF8String.PYTHON313(?,?,?,00007FF8B7E062E0), ref: 00007FF8B7E063A4
PyErr_Format.PYTHON313(?,?,?,00007FF8B7E062E0), ref: 00007FF8B7E06419
PyMem_Free.PYTHON313(?,?,?,00007FF8B7E062E0), ref: 00007FF8B7E06425
PyMem_Malloc.PYTHON313(?,?,?,00007FF8B7E062E0), ref: 00007FF8B7E0642E
PyErr_SetString.PYTHON313(?,?,?,00007FF8B7E062E0), ref: 00007FF8B7E0644E
_Py_Dealloc.PYTHON313(?,?,?,00007FF8B7E062E0), ref: 00007FF8B7E06467
memcpy.VCRUNTIME140(?,?,?,00007FF8B7E062E0), ref: 00007FF8B7E06478
_Py_Dealloc.PYTHON313(?,?,?,00007FF8B7E062E0), ref: 00007FF8B7E06494
PyErr_SetString.PYTHON313(?,?,?,00007FF8B7E062E0), ref: 00007FF8B7E064AE

Strings

password cannot be longer than %d bytes, xrefs: 00007FF8B7E0640F
unable to allocate password buffer, xrefs: 00007FF8B7E06444

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_String$DeallocMem_$FormatFreeMallocUnicode_memcpy
String ID: password cannot be longer than %d bytes$unable to allocate password buffer
API String ID: 1570515377-2395793021
Opcode ID: a0670d9b12e7f607e22c3cafcb4cfb255c0c9d6039909e018bc8a60c94961bbe
Instruction ID: 557413512b9b90f13060f20bcac0f1d5fb99481023d9ad6fac6b03850f2faa07
Opcode Fuzzy Hash: a0670d9b12e7f607e22c3cafcb4cfb255c0c9d6039909e018bc8a60c94961bbe
Instruction Fuzzy Hash: 0C41D622A08B5285EA68AF1EE94627D63A1FF88FD4F185431CB4E47BB5DF3CE4458341

Function 00007FF8B7E08268 Relevance: 18.1, APIs: 12, Instructions: 71threadCOMMON

Download Yara Rule

APIs

_Py_fopen_obj.PYTHON313 ref: 00007FF8B7E08291
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B7E0829F
PyEval_SaveThread.PYTHON313 ref: 00007FF8B7E082A8
PEM_read_DHparams.LIBCRYPTO-3 ref: 00007FF8B7E082BC
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8B7E082C8
PyEval_RestoreThread.PYTHON313 ref: 00007FF8B7E082D1
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B7E082DC
PyErr_SetFromErrnoWithFilenameObject.PYTHON313 ref: 00007FF8B7E082F3
ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E082F9
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B7E08342
DH_free.LIBCRYPTO-3 ref: 00007FF8B7E0834F
DH_free.LIBCRYPTO-3 ref: 00007FF8B7E0836D

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Eval_H_freeThread_errno$Err_ErrnoFilenameFromHparamsM_read_ObjectPy_fopen_objR_clear_errorRestoreSaveWithX_ctrlfclose
String ID:
API String ID: 1346594628-0
Opcode ID: afa238874eb3aa792ad155579ee5bdd9c70baf79b46d895c036ba73493ed3cf6
Instruction ID: f3da4115c65e326209776afbe48b3abcec70dd2115094d2ad72730d9a4ffc470
Opcode Fuzzy Hash: afa238874eb3aa792ad155579ee5bdd9c70baf79b46d895c036ba73493ed3cf6
Instruction Fuzzy Hash: 62311421A18B528AEB14AB6AE81A52D73A1FF88FC4F484430CB8E53B74DF7CE445C700

Function 00007FF8A930D940 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

BIO_indent.LIBCRYPTO-3(?,?,?,?,?,?,?,?,?,?,?,?,00007FF8A930B3DE), ref: 00007FF8A930D9AA
BIO_printf.LIBCRYPTO-3(?,?,?,?,?,?,?,?,?,?,?,?,00007FF8A930B3DE), ref: 00007FF8A930D9EE
BIO_indent.LIBCRYPTO-3(?,?,?,?,?,?,?,?,?,?,?,?,00007FF8A930B3DE), ref: 00007FF8A930DA45
BIO_printf.LIBCRYPTO-3(?,?,?,?,?,?,?,?,?,?,?,?,00007FF8A930B3DE), ref: 00007FF8A930DA9E

Strings

message_seq=%d, fragment_offset=%d, fragment_length=%d, xrefs: 00007FF8A930DA4F
Unsupported, hex dump follows:, xrefs: 00007FF8A930DE0E
%s, Length=%d, xrefs: 00007FF8A930D9E4
UNKNOWN, xrefs: 00007FF8A930D9C0

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_indentO_printf
String ID: %s, Length=%d$UNKNOWN$Unsupported, hex dump follows:$message_seq=%d, fragment_offset=%d, fragment_length=%d
API String ID: 1860387303-4198474627
Opcode ID: 00e9932da776b3127d22320f56702510f9e0bd9a21b70bd70010253a5591cf38
Instruction ID: 28f21e862a586111130a1c06d32dca03f58feb64213a117567c0587bcbf04dc3
Opcode Fuzzy Hash: 00e9932da776b3127d22320f56702510f9e0bd9a21b70bd70010253a5591cf38
Instruction Fuzzy Hash: 3451EF6270DAE056E624CF2AA844A6E7FE1EB817D1F009135EEA987BD6CE3CD141C700

Function 00007FF8A92DBA10 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A92DBA42
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92DBA5A
BIO_write.LIBCRYPTO-3 ref: 00007FF8A92DBA89
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92DBA9A
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92DBAB2
EVP_DigestUpdate.LIBCRYPTO-3 ref: 00007FF8A92DBADA
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92DBAE3
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92DBAFB

Strings

ssl3_finish_mac, xrefs: 00007FF8A92DBA47, 00007FF8A92DBA9F, 00007FF8A92DBAE8
..\s\ssl\s3_enc.c, xrefs: 00007FF8A92DBA53, 00007FF8A92DBAAB, 00007FF8A92DBAF4

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug$DigestO_writeUpdate
String ID: ..\s\ssl\s3_enc.c$ssl3_finish_mac
API String ID: 756221159-923099695
Opcode ID: e7e8f1775868c55204083d9648218276ed60c871b44cc4ebedb819f1fc2cfdbd
Instruction ID: da873cf1201016ea17cd7194649612018792c1c5359577054f371e012911eaec
Opcode Fuzzy Hash: e7e8f1775868c55204083d9648218276ed60c871b44cc4ebedb819f1fc2cfdbd
Instruction Fuzzy Hash: 66217420F1D8C269F794AB51FA517FA02A4DFC87C0F842031E92DC6AD6DE5CE5818740

Function 00007FF8B7E0628C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63threadCOMMON

Download Yara Rule

APIs

PyEval_RestoreThread.PYTHON313 ref: 00007FF8B7E062AB
PyObject_CallNoArgs.PYTHON313 ref: 00007FF8B7E062C0

Part of subcall function 00007FF8B7E06374: PyUnicode_AsUTF8String.PYTHON313(?,?,?,00007FF8B7E062E0), ref: 00007FF8B7E063A4
Part of subcall function 00007FF8B7E06374: PyErr_Format.PYTHON313(?,?,?,00007FF8B7E062E0), ref: 00007FF8B7E06419
Part of subcall function 00007FF8B7E06374: _Py_Dealloc.PYTHON313(?,?,?,00007FF8B7E062E0), ref: 00007FF8B7E06467

_Py_Dealloc.PYTHON313 ref: 00007FF8B7E062F2
PyErr_Format.PYTHON313 ref: 00007FF8B7E06311
PyEval_SaveThread.PYTHON313 ref: 00007FF8B7E06317
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0634D
PyEval_SaveThread.PYTHON313 ref: 00007FF8B7E06355
memcpy.VCRUNTIME140 ref: 00007FF8B7E06369

Strings

password cannot be longer than %d bytes, xrefs: 00007FF8B7E06304
password callback must return a string, xrefs: 00007FF8B7E062CE

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: DeallocEval_Thread$Err_FormatSave$ArgsCallObject_RestoreStringUnicode_memcpy
String ID: password callback must return a string$password cannot be longer than %d bytes
API String ID: 1551476282-1265974473
Opcode ID: 451fe9cc037ae4ca0a52fdb4c774a51eb6ad11dc906b9a496bd4567f73c984d8
Instruction ID: 5faa55017a630f8090f701998f5e59d78b3a5460432f7302916f94cb053d7c7b
Opcode Fuzzy Hash: 451fe9cc037ae4ca0a52fdb4c774a51eb6ad11dc906b9a496bd4567f73c984d8
Instruction Fuzzy Hash: 8821F831A09B42C6EA14AB29E95627D23B0FF84FD4F084535DB5E47AB5CF3CE4A08780

Function 00007FF8B7E08BB4 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 47COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON313 ref: 00007FF8B7E08BEE
PyUnicode_AsUTF8AndSize.PYTHON313 ref: 00007FF8B7E08BFE
PyErr_SetString.PYTHON313 ref: 00007FF8B7E08C30

Strings

No cipher can be selected., xrefs: 00007FF8B7E08C50
str, xrefs: 00007FF8B7E08BD9
embedded null character, xrefs: 00007FF8B7E08C26
argument, xrefs: 00007FF8B7E08BE0
set_ciphers, xrefs: 00007FF8B7E08BE7

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Arg_ArgumentErr_SizeStringUnicode_
String ID: No cipher can be selected.$argument$embedded null character$set_ciphers$str
API String ID: 4155279725-2765033273
Opcode ID: ea065838c93bf123b15737771585479b577fca96907ef9b0e34c49fa14334f0e
Instruction ID: 28033f0672ce081bef5f64a025276c6ab3d2d6a6112f6450c0524468562d9a40
Opcode Fuzzy Hash: ea065838c93bf123b15737771585479b577fca96907ef9b0e34c49fa14334f0e
Instruction Fuzzy Hash: BA111761A09B4695EA549B19E49217D2370FF48FE0F449631DB1E576B0DE3CE899C700

Function 00007FF8B7E02610 Relevance: 16.6, APIs: 11, Instructions: 72COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON313 ref: 00007FF8B7E0261D
PyType_FromModuleAndSpec.PYTHON313 ref: 00007FF8B7E02633
PyType_FromModuleAndSpec.PYTHON313 ref: 00007FF8B7E02652
PyType_FromModuleAndSpec.PYTHON313 ref: 00007FF8B7E02672
PyType_FromModuleAndSpec.PYTHON313 ref: 00007FF8B7E02692
PyType_FromModuleAndSpec.PYTHON313 ref: 00007FF8B7E026AE
PyModule_AddType.PYTHON313 ref: 00007FF8B7E026C3
PyModule_AddType.PYTHON313 ref: 00007FF8B7E026D4
PyModule_AddType.PYTHON313 ref: 00007FF8B7E026E5
PyModule_AddType.PYTHON313 ref: 00007FF8B7E026F6
PyModule_AddType.PYTHON313 ref: 00007FF8B7E02707

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Module_$FromModuleSpecTypeType_$State
String ID:
API String ID: 1138651315-0
Opcode ID: 7113c4fe6f1b963d2cb9ac5b53a5f209678294d864031ecf4bce5d75bb687690
Instruction ID: d654e3a4ead08c83b083746d5f884fedb2b9b2c8cbf647bf3a3d5b4ac49b975b
Opcode Fuzzy Hash: 7113c4fe6f1b963d2cb9ac5b53a5f209678294d864031ecf4bce5d75bb687690
Instruction Fuzzy Hash: 8A31EA25B49B4392FA6A9B6DA85953D23A4BF09FC0B085535CB4E03B70EF3CE5649700

Function 00007FF8B7E02150 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_PyArg_UnpackKeywords.PYTHON313 ref: 00007FF8B7E021B2
PyUnicode_AsUTF8AndSize.PYTHON313 ref: 00007FF8B7E021EE
PyObject_IsTrue.PYTHON313 ref: 00007FF8B7E02223

Strings

argument 'txt', xrefs: 00007FF8B7E03B2B
str, xrefs: 00007FF8B7E03B32
embedded null character, xrefs: 00007FF8B7E03B53
txt2obj, xrefs: 00007FF8B7E03B39

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Arg_KeywordsObject_SizeTrueUnicode_Unpack
String ID: argument 'txt'$embedded null character$str$txt2obj
API String ID: 3371007025-2001486153
Opcode ID: 2320e4280f1f69ba6e36c6f1d629554bc59a245645e9aff284964197e01a69df
Instruction ID: fb61faf1a76b565f2e999537e49922c0abf64149614069a00dda6a1c7920e796
Opcode Fuzzy Hash: 2320e4280f1f69ba6e36c6f1d629554bc59a245645e9aff284964197e01a69df
Instruction Fuzzy Hash: 68318022A0CB4285EA619B69E8523BD63A4FF88FD4F448135DB5E476B4DF3CD545C700

Function 00007FF8B7E06E20 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF8B7E06E51
_PyArg_CheckPositional.PYTHON313 ref: 00007FF8B7E06E6C
PyUnicode_AsUTF8AndSize.PYTHON313 ref: 00007FF8B7E06E95
PyBuffer_FillInfo.PYTHON313 ref: 00007FF8B7E06EC3
PyObject_GetBuffer.PYTHON313 ref: 00007FF8B7E06ED7
PyFloat_AsDouble.PYTHON313 ref: 00007FF8B7E06EF9
PyErr_Occurred.PYTHON313 ref: 00007FF8B7E06F0E
PyBuffer_Release.PYTHON313 ref: 00007FF8B7E06F36

Strings

RAND_add, xrefs: 00007FF8B7E06E62

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Buffer_$Arg_BufferCheckDoubleErr_FillFloat_InfoObject_OccurredPositionalReleaseSizeUnicode_memset
String ID: RAND_add
API String ID: 3826167373-2571728267
Opcode ID: 353d8b6163abcfc0a18eef1e444a5d13722078e9994ed70e4913c2e5e0c9b420
Instruction ID: 227059aac99a08274c557cb486ed1f056be50f091538657b4c3eb99dff35c171
Opcode Fuzzy Hash: 353d8b6163abcfc0a18eef1e444a5d13722078e9994ed70e4913c2e5e0c9b420
Instruction Fuzzy Hash: B5316B22A18B8689E6509F2AE4423BD63A0FF54FC4F488135EB4E53674DF3DE895C700

Function 00007FF8B7E09418 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 73COMMON

Download Yara Rule

APIs

_PyArg_UnpackKeywords.PYTHON313 ref: 00007FF8B7E09484
_PyArg_BadArgument.PYTHON313 ref: 00007FF8B7E094C6
PyUnicode_AsUTF8AndSize.PYTHON313 ref: 00007FF8B7E094D3
PyErr_SetString.PYTHON313 ref: 00007FF8B7E09505

Part of subcall function 00007FF8B7E0952C: strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B7E0955B
Part of subcall function 00007FF8B7E0952C: SSL_session_reused.LIBSSL-3 ref: 00007FF8B7E0956B
Part of subcall function 00007FF8B7E0952C: SSL_get_finished.LIBSSL-3 ref: 00007FF8B7E0958B

Strings

argument 'cb_type', xrefs: 00007FF8B7E094BF
tls-unique, xrefs: 00007FF8B7E09426
str, xrefs: 00007FF8B7E094B1
embedded null character, xrefs: 00007FF8B7E094FB
get_channel_binding, xrefs: 00007FF8B7E094B8

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Arg_$ArgumentErr_KeywordsL_get_finishedL_session_reusedSizeStringUnicode_Unpackstrcmp
String ID: argument 'cb_type'$embedded null character$get_channel_binding$str$tls-unique
API String ID: 2734880604-851902044
Opcode ID: 98e628a3e1a167fc3f287f962a04b9f23804e5db45c61c0015d656bb374e89be
Instruction ID: 5a9c7045808123a62a66dbeb0d714a67200bfeb69f47182afe8ed0c06ee70c4a
Opcode Fuzzy Hash: 98e628a3e1a167fc3f287f962a04b9f23804e5db45c61c0015d656bb374e89be
Instruction Fuzzy Hash: FC315C21A08B4285EA609F5AE4821BD63A1AF44FE4F544235DB5E07BB8DF3CE845CB00

Function 00007FF8A933196F Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A9331988
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A93319A0
ERR_new.LIBCRYPTO-3 ref: 00007FF8A93319F1
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9331A09
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9331A20
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9331A38

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A9331999, 00007FF8A9331A02, 00007FF8A9331A31
tls_process_initial_server_flight, xrefs: 00007FF8A93319F6, 00007FF8A9331A25
tls_process_server_done, xrefs: 00007FF8A933198D

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ..\s\ssl\statem\statem_clnt.c$tls_process_initial_server_flight$tls_process_server_done
API String ID: 193678381-2920457334
Opcode ID: e0eb7f40b6cba256202b0bb1c2786e7660da55b7299b333b19bd7809457d0bbd
Instruction ID: ee3ab2041072984194df10485fc5ca4b797df8b617f25610c36d2eb3e0781d05
Opcode Fuzzy Hash: e0eb7f40b6cba256202b0bb1c2786e7660da55b7299b333b19bd7809457d0bbd
Instruction Fuzzy Hash: E7316921B0EEC260FA109F56D8803BA62A1EF817D5F482135CE2DC67DADE7CE9858701

Function 00007FF8A92F5990 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

OPENSSL_sk_new_null.LIBCRYPTO-3(?,00007FF8A92F0EE9), ref: 00007FF8A92F59C5
ERR_new.LIBCRYPTO-3(?,00007FF8A92F0EE9), ref: 00007FF8A92F59D2
ERR_set_debug.LIBCRYPTO-3(?,00007FF8A92F0EE9), ref: 00007FF8A92F59EA
ERR_set_error.LIBCRYPTO-3(?,00007FF8A92F0EE9), ref: 00007FF8A92F59FC
SCT_free.LIBCRYPTO-3(?,00007FF8A92F0EE9), ref: 00007FF8A92F5A04
OPENSSL_sk_push.LIBCRYPTO-3(?,00007FF8A92F0EE9), ref: 00007FF8A92F5A35
OPENSSL_sk_pop.LIBCRYPTO-3(?,00007FF8A92F0EE9), ref: 00007FF8A92F5A43

Strings

ct_move_scts, xrefs: 00007FF8A92F59D7
..\s\ssl\ssl_lib.c, xrefs: 00007FF8A92F59E3

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: L_sk_new_nullL_sk_popL_sk_pushR_newR_set_debugR_set_errorT_free
String ID: ..\s\ssl\ssl_lib.c$ct_move_scts
API String ID: 678090195-2572802885
Opcode ID: 0a2d874d5245e4ae5a93465af9b96c4ed52d67167350f51a10a7adca5dbb7dd2
Instruction ID: 494fa9094c0f5549bdd4e569c2ac685cdcd09443b919c0db63559c23409baf21
Opcode Fuzzy Hash: 0a2d874d5245e4ae5a93465af9b96c4ed52d67167350f51a10a7adca5dbb7dd2
Instruction Fuzzy Hash: 3D219621B1EBC291FA14AF16594157A62E4EFC4BC4F485031EA6DC7B9ADF3CF4214700

Function 00007FF8B7E0CAE8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON313 ref: 00007FF8B7E0CB0F
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0CB36
SSL_CTX_callback_ctrl.LIBSSL-3 ref: 00007FF8B7E0CB50

Strings

not a callable object, xrefs: 00007FF8B7E0CB7C
sni_callback cannot be set on TLS_CLIENT context, xrefs: 00007FF8B7E0CB05

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: DeallocErr_StringX_callback_ctrl
String ID: not a callable object$sni_callback cannot be set on TLS_CLIENT context
API String ID: 3136334877-1539510184
Opcode ID: 7c2fc2c77853d767661a4e479fe23088d4bb1f11d5e774a0267d54279080d1da
Instruction ID: 1ba54305e103ca63f7d651c69733c182881377d4e9247a207e1bcf5ac07d306a
Opcode Fuzzy Hash: 7c2fc2c77853d767661a4e479fe23088d4bb1f11d5e774a0267d54279080d1da
Instruction Fuzzy Hash: D921F932A0874286EB649F29E48667C3360FF48FD8F501932DB1E466B4DF7DE4558B40

Function 00007FF8A92D1956 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

EVP_MD_CTX_new.LIBCRYPTO-3 ref: 00007FF8A93404CE
ERR_new.LIBCRYPTO-3 ref: 00007FF8A93404DF
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A93404F7
EVP_MD_CTX_copy_ex.LIBCRYPTO-3 ref: 00007FF8A9340524
ERR_new.LIBCRYPTO-3 ref: 00007FF8A934052D
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9340545
EVP_MD_CTX_free.LIBCRYPTO-3 ref: 00007FF8A9340567

Strings

..\s\ssl\statem\statem_lib.c, xrefs: 00007FF8A93404F0, 00007FF8A934053E
tls13_save_handshake_digest_for_pha, xrefs: 00007FF8A93404E4, 00007FF8A9340532

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug$X_copy_exX_freeX_new
String ID: ..\s\ssl\statem\statem_lib.c$tls13_save_handshake_digest_for_pha
API String ID: 401794203-262298153
Opcode ID: 412538726b70e8aeea752b51d591ae0eec0ce614aada8c58043d0c8b522c0924
Instruction ID: 2832dc3b26327b38ed177c222a40325c981f09283f843da115d3a875f85d660f
Opcode Fuzzy Hash: 412538726b70e8aeea752b51d591ae0eec0ce614aada8c58043d0c8b522c0924
Instruction Fuzzy Hash: 1A114F60F1FDC2A1FB54BF61D8117BA11A4EF947CAF892030D92DCAA86DF6CE5418750

Function 00007FF8A92D1960 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

BIO_s_file.LIBCRYPTO-3 ref: 00007FF8A930144E
BIO_new.LIBCRYPTO-3 ref: 00007FF8A9301456
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9301463
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A930147B
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A930148D
BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8A93014B2
BIO_free.LIBCRYPTO-3 ref: 00007FF8A93014C7

Strings

..\s\ssl\ssl_txt.c, xrefs: 00007FF8A9301474
SSL_SESSION_print_fp, xrefs: 00007FF8A9301468

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_ctrlO_freeO_newO_s_fileR_newR_set_debugR_set_error
String ID: ..\s\ssl\ssl_txt.c$SSL_SESSION_print_fp
API String ID: 1031916422-1029007293
Opcode ID: 8d045917fd5d1af63b4975e0ee52677a43f125b39cd662b399e24e58a3bd064f
Instruction ID: 19a258642674a4e55c1de314718e4ac73fbfc41f9d7f21b7c718a2bfb8f962f3
Opcode Fuzzy Hash: 8d045917fd5d1af63b4975e0ee52677a43f125b39cd662b399e24e58a3bd064f
Instruction Fuzzy Hash: 59016111F1EAC261F684AF66A5516BE42A1EFC5BC4F896031FA1D87B9BDD2CE4414B00

Function 00007FF8B7E02828 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 31COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON313 ref: 00007FF8B7E0282E
PyUnicode_InternFromString.PYTHON313 ref: 00007FF8B7E0283E
PyUnicode_InternFromString.PYTHON313 ref: 00007FF8B7E02854
PyUnicode_InternFromString.PYTHON313 ref: 00007FF8B7E0286D
PyUnicode_InternFromString.PYTHON313 ref: 00007FF8B7E02886

Strings

reason, xrefs: 00007FF8B7E0284D
verify_message, xrefs: 00007FF8B7E02866
library, xrefs: 00007FF8B7E02834
verify_code, xrefs: 00007FF8B7E0287F

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: FromInternStringUnicode_$Module_State
String ID: library$reason$verify_code$verify_message
API String ID: 1970222510-435783180
Opcode ID: 4254d239cbb8c58497ed9e16c0f8c624f67e2f5b2410b21064c2b256a3b3d2a5
Instruction ID: 527b86927f14cf61d0e304f3ecfa0104847dc530b1875d88651c1794d65b22b0
Opcode Fuzzy Hash: 4254d239cbb8c58497ed9e16c0f8c624f67e2f5b2410b21064c2b256a3b3d2a5
Instruction Fuzzy Hash: 8B011D2591AF4391FA559F6CE84617C22E8BF18F90F540535CA0E893F0EF3CA599C310

Function 00007FF8B7E02C10 Relevance: 15.2, APIs: 10, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF8B7E02C38
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF8B7E02C8A
_RTC_Initialize.LIBCMT ref: 00007FF8B7E02CB8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF8B7E02CDE
__scrt_release_startup_lock.LIBCMT ref: 00007FF8B7E02D09

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 1a8d1f532519298a9da786a4129d135a06aa4afe88969801cf82f3079a6a7588
Instruction ID: a8cb26c14b8bfb671579d77f6ad63e6b0171f518915a49fbc6b9f32b10771395
Opcode Fuzzy Hash: 1a8d1f532519298a9da786a4129d135a06aa4afe88969801cf82f3079a6a7588
Instruction Fuzzy Hash: 29819E21E0C34786FA56AB6D94832BD66D4AF95FC0F548439DB4C973B6DE3CEA468300

Function 00007FF8A9327970 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 180COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A9327B41
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9327B59
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9327BA4
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9327BBC
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9327C02
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9327C1A

Strings

..\s\ssl\statem\extensions_cust.c, xrefs: 00007FF8A9327B52, 00007FF8A9327BB5, 00007FF8A9327C13
custom_ext_add, xrefs: 00007FF8A9327B46, 00007FF8A9327BA9, 00007FF8A9327C07

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ..\s\ssl\statem\extensions_cust.c$custom_ext_add
API String ID: 193678381-2497583336
Opcode ID: ad8d19faf388aa23db7e570b038a697b30fe10eb225ee2c9ffd6ec6caf1a354b
Instruction ID: eaa404fdcb609180124207d3a1a5fc65280971edb0aff4deb3b753e8a945f3e6
Opcode Fuzzy Hash: ad8d19faf388aa23db7e570b038a697b30fe10eb225ee2c9ffd6ec6caf1a354b
Instruction Fuzzy Hash: 98719F71A0EAD265E7649F12A480BBA63A4FB95BC0F061135DE5E87B99CF7CE401C740

Function 00007FF8A92D19B5 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A93201B0
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A93201C8
ERR_new.LIBCRYPTO-3 ref: 00007FF8A93202FD
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9320315
ERR_new.LIBCRYPTO-3 ref: 00007FF8A932035B
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9320373

Strings

tls_construct_extensions, xrefs: 00007FF8A93201B5, 00007FF8A9320302, 00007FF8A9320360
..\s\ssl\statem\extensions.c, xrefs: 00007FF8A93201C1, 00007FF8A932030E, 00007FF8A932036C

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ..\s\ssl\statem\extensions.c$tls_construct_extensions
API String ID: 193678381-3223585116
Opcode ID: 992176a5b5607ad23ec96c98088b2225bfd6718f6d21463046d42dc7daaa6d09
Instruction ID: 82fdce3f10d0e1a73eedd79d4e8733205892323c427493bf4a90007b4e9458fd
Opcode Fuzzy Hash: 992176a5b5607ad23ec96c98088b2225bfd6718f6d21463046d42dc7daaa6d09
Instruction Fuzzy Hash: 4451BE21A1DAC266FB549F66A8407BA62A4FB807C4F582031DE5DD7BD6EF3CE509C700

Function 00007FF8A92E5A80 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 118COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF8A92E5AB8
OPENSSL_sk_push.LIBCRYPTO-3 ref: 00007FF8A92E5ADD
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92E5AE6
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92E5AFE
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92E5B10

Strings

ciphersuite_cb, xrefs: 00007FF8A92E5AEB
..\s\ssl\ssl_ciph.c, xrefs: 00007FF8A92E5AF7, 00007FF8A92E5B93
P, xrefs: 00007FF8A92E5ABD

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: L_sk_pushR_newR_set_debugR_set_errormemcpy
String ID: ..\s\ssl\ssl_ciph.c$P$ciphersuite_cb
API String ID: 69574139-2656695495
Opcode ID: 336669d602111ffcb296deeb2c28716d1105def34d7899e28cc736b0845ac586
Instruction ID: 638b47d0ca29c79d9a66490ed923a5e317a0047b0383db936218829d17aa3be2
Opcode Fuzzy Hash: 336669d602111ffcb296deeb2c28716d1105def34d7899e28cc736b0845ac586
Instruction Fuzzy Hash: 2B11D615F1E9C266FB94AF65E8813B912A1EF883C4F855035E96CC6B9FEE5CF1018B10

Function 00007FF8B7E08EE8 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 84COMMON

Download Yara Rule

APIs

_PyArg_UnpackKeywords.PYTHON313 ref: 00007FF8B7E08F64
PyUnicode_AsUTF8AndSize.PYTHON313 ref: 00007FF8B7E08FAA
PyErr_SetString.PYTHON313 ref: 00007FF8B7E08FDF
_PyArg_BadArgument.PYTHON313 ref: 00007FF8B7E08FFC

Strings

argument 'identity_hint', xrefs: 00007FF8B7E08FEE
set_psk_server_callback, xrefs: 00007FF8B7E08FF5
str or None, xrefs: 00007FF8B7E08FE7
embedded null character, xrefs: 00007FF8B7E08FD5

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Arg_$ArgumentErr_KeywordsSizeStringUnicode_Unpack
String ID: argument 'identity_hint'$embedded null character$set_psk_server_callback$str or None
API String ID: 2966986319-155000023
Opcode ID: f47f73be90ef52e78b40ebe14f8e5d7f78366fdbc10af3ec50057d238338dd5c
Instruction ID: 9d70d7c5dc4fc0aa94bcf810c3663d59863e240906dcbd781b5d86419181b5c1
Opcode Fuzzy Hash: f47f73be90ef52e78b40ebe14f8e5d7f78366fdbc10af3ec50057d238338dd5c
Instruction Fuzzy Hash: FC319A22A08B4695EA61DF19E8426AD6361BF54FD4F844236EF4D037B4DF7DE884C700

Function 00007FF8B7E09030 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

PyCallable_Check.PYTHON313 ref: 00007FF8B7E09088
PyErr_SetString.PYTHON313 ref: 00007FF8B7E090A3
SSL_CTX_use_psk_identity_hint.LIBSSL-3 ref: 00007FF8B7E090B9

Part of subcall function 00007FF8B7E06750: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B7E06768
Part of subcall function 00007FF8B7E06750: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E06791

_Py_Dealloc.PYTHON313 ref: 00007FF8B7E090E8
SSL_CTX_set_psk_server_callback.LIBSSL-3 ref: 00007FF8B7E09107

Strings

Cannot add PSK server callback to a PROTOCOL_TLS_CLIENT context, xrefs: 00007FF8B7E09057
failed to set identity hint, xrefs: 00007FF8B7E090CB
callback must be callable, xrefs: 00007FF8B7E09099

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Callable_CheckDeallocErr_R_clear_errorR_peek_last_errorStringX_set_psk_server_callbackX_use_psk_identity_hint
String ID: Cannot add PSK server callback to a PROTOCOL_TLS_CLIENT context$callback must be callable$failed to set identity hint
API String ID: 2313049127-1396254157
Opcode ID: fb21281403a379b615c99ff083972a40e415b7fbdbf99e890c6c4d71a06daef1
Instruction ID: 7bccc302161b2535eaae685b024eb99a9ebb5595b13273d73daf3f8e87782215
Opcode Fuzzy Hash: fb21281403a379b615c99ff083972a40e415b7fbdbf99e890c6c4d71a06daef1
Instruction Fuzzy Hash: 7131D236A08B468AEA549F2DE89623D63A0FF84FC8F544431DB4E87AB4CE7DE451C740

Function 00007FF8A92D1947 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A92D8D9D
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92D8DB5
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92D8DC7
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92D8DDC
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92D8DF4
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92D8E06

Strings

..\s\ssl\d1_msg.c, xrefs: 00007FF8A92D8DAE, 00007FF8A92D8DED
dtls1_write_app_data_bytes, xrefs: 00007FF8A92D8DA2, 00007FF8A92D8DE1

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: ..\s\ssl\d1_msg.c$dtls1_write_app_data_bytes
API String ID: 1552677711-1870589286
Opcode ID: b2aeda71e0f10ff5d104f444f2d6a97a66499aa94998217004147aa1704fb417
Instruction ID: e8a199f19698aca422b60c4adf9e15972dbc4ba5a8bda216ed70d951a66c712b
Opcode Fuzzy Hash: b2aeda71e0f10ff5d104f444f2d6a97a66499aa94998217004147aa1704fb417
Instruction Fuzzy Hash: 11215320E0EAC266F654AF21E8003BA52A8DF957D0F546131F92D87BDADE6CF4408600

Function 00007FF8B7E046D4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 60COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON313 ref: 00007FF8B7E0470C
SSL_is_init_finished.LIBSSL-3 ref: 00007FF8B7E0474B
SSL_set_session.LIBSSL-3 ref: 00007FF8B7E04776
SSL_SESSION_free.LIBSSL-3 ref: 00007FF8B7E04781

Strings

Cannot set session for server-side SSLSocket., xrefs: 00007FF8B7E0473E
Cannot set session after handshake., xrefs: 00007FF8B7E04755
Value is not a SSLSession., xrefs: 00007FF8B7E04702
Session refers to a different SSLContext., xrefs: 00007FF8B7E04728

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_L_is_init_finishedL_set_sessionN_freeString
String ID: Cannot set session after handshake.$Cannot set session for server-side SSLSocket.$Session refers to a different SSLContext.$Value is not a SSLSession.
API String ID: 2514955158-3160731334
Opcode ID: c68f23ef8fa8fe8aa0f0b8702e981877ea41e580611d10ca50f03757ef80513d
Instruction ID: ac86667dda3a9557715ba2d04ccea5f10fa8766baa220c0872e1a308405d1b0c
Opcode Fuzzy Hash: c68f23ef8fa8fe8aa0f0b8702e981877ea41e580611d10ca50f03757ef80513d
Instruction Fuzzy Hash: 53213765A08B4281EA14DB2EE95A13D23B1FF86FC4B584535DB4E47AB4DF3CE891C300

Function 00007FF8B7E0C9C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

PyArg_Parse.PYTHON313 ref: 00007FF8B7E0C9EF
PyLong_AsUnsignedLongLong.PYTHON313 ref: 00007FF8B7E0CA02
PyErr_Occurred.PYTHON313 ref: 00007FF8B7E0CA11
SSL_CTX_get_options.LIBSSL-3 ref: 00007FF8B7E0CA20
PyErr_WarnEx.PYTHON313 ref: 00007FF8B7E0CA58
SSL_CTX_clear_options.LIBSSL-3 ref: 00007FF8B7E0CA6E
SSL_CTX_set_options.LIBSSL-3 ref: 00007FF8B7E0CA80

Strings

ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated, xrefs: 00007FF8B7E0CA48

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_Long$Arg_Long_OccurredParseUnsignedWarnX_clear_optionsX_get_optionsX_set_options
String ID: ssl.OP_NO_SSL*/ssl.OP_NO_TLS* options are deprecated
API String ID: 2438043060-2795599882
Opcode ID: c0e64db1c963369a8a5ed26ffb050843c3af0e95e9869049d5e688494430fb2c
Instruction ID: b7c9375c7e4508ba03a0d6471f6c0c23da8710fc3526f53d92f628bc0fba43b0
Opcode Fuzzy Hash: c0e64db1c963369a8a5ed26ffb050843c3af0e95e9869049d5e688494430fb2c
Instruction Fuzzy Hash: 86210E25B08B4286FA149B29E9462AD6374FF44FE0F184A32DF6E477F4DE2DE5548700

Function 00007FF8B7E0AB28 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

_PyArg_UnpackKeywords.PYTHON313 ref: 00007FF8B7E0AB79
_PyArg_BadArgument.PYTHON313 ref: 00007FF8B7E0ABB2
PyUnicode_AsUTF8AndSize.PYTHON313 ref: 00007FF8B7E0ABBF
PyErr_SetString.PYTHON313 ref: 00007FF8B7E0ABF1

Strings

str, xrefs: 00007FF8B7E0AB9D
embedded null character, xrefs: 00007FF8B7E0ABE7
enum_crls, xrefs: 00007FF8B7E0ABA4
argument 'store_name', xrefs: 00007FF8B7E0ABAB

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Arg_$ArgumentErr_KeywordsSizeStringUnicode_Unpack
String ID: argument 'store_name'$embedded null character$enum_crls$str
API String ID: 2966986319-2641223161
Opcode ID: 0186551bacce5e167eb27f67d7153db174b15f636566da8f41fccaa9d7114ce9
Instruction ID: cf7fca9eb0f130269239241c9c19f13a53bf0867ca5d0007bf9f20efd04f2d4f
Opcode Fuzzy Hash: 0186551bacce5e167eb27f67d7153db174b15f636566da8f41fccaa9d7114ce9
Instruction Fuzzy Hash: 54213961A0DB4686EE559B1DA88267D63A1EF48FE0F444236DA5E437B4EF3DE484CB00

Function 00007FF8B7E09914 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF8B7E09944
PyErr_SetString.PYTHON313 ref: 00007FF8B7E0996A
PyArg_ParseTuple.PYTHON313 ref: 00007FF8B7E09989
PyArg_ParseTuple.PYTHON313 ref: 00007FF8B7E099AC
PyBuffer_Release.PYTHON313 ref: 00007FF8B7E099DE

Strings

n:read, xrefs: 00007FF8B7E099A5
nw*:read, xrefs: 00007FF8B7E09982
_ssl._SSLSocket.read requires 1 to 2 arguments, xrefs: 00007FF8B7E09960

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Arg_ParseTuple$Buffer_Err_ReleaseStringmemset
String ID: _ssl._SSLSocket.read requires 1 to 2 arguments$n:read$nw*:read
API String ID: 302419003-3684439920
Opcode ID: 5a9362ef0d5284d612b6273122407dfbe21e4986a102e0a91e15f98c4691a0c1
Instruction ID: 56734a3f991078b73f36a7108a9d4c0d559e42bc5205e0d713dc2bf2f5b54c29
Opcode Fuzzy Hash: 5a9362ef0d5284d612b6273122407dfbe21e4986a102e0a91e15f98c4691a0c1
Instruction Fuzzy Hash: 51210E62A08B4695E6249F1ED4452AD6365FF88FC4F948132DB8D43B74DE3CD585C700

Function 00007FF8B7E097B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

SSL_is_init_finished.LIBSSL-3(?,?,00000000,00007FF8B7E09796), ref: 00007FF8B7E097D0
PyErr_SetString.PYTHON313(?,?,00000000,00007FF8B7E09796), ref: 00007FF8B7E097EB
SSL_get1_peer_certificate.LIBSSL-3(?,?,00000000,00007FF8B7E09796), ref: 00007FF8B7E097F9

Strings

handshake not done yet, xrefs: 00007FF8B7E097E1

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_L_get1_peer_certificateL_is_init_finishedString
String ID: handshake not done yet
API String ID: 1333720006-2620869922
Opcode ID: f092b3b7c3ee2ed00ca93eb839ed0a4996e54995b990773d5699899330fd975d
Instruction ID: 9882da50ed71b9b534194609a9688c5a001fb33d9abf741903074e47d9b9f6a1
Opcode Fuzzy Hash: f092b3b7c3ee2ed00ca93eb839ed0a4996e54995b990773d5699899330fd975d
Instruction Fuzzy Hash: 15111C21E08B42C2EA54AF2AE95603D6360FF98FC0B144435DF0E9B774EF2CE8958350

Function 00007FF8B7E0952C Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B7E0955B
SSL_session_reused.LIBSSL-3 ref: 00007FF8B7E0956B
SSL_get_finished.LIBSSL-3 ref: 00007FF8B7E0958B
SSL_get_peer_finished.LIBSSL-3 ref: 00007FF8B7E09593
PyBytes_FromStringAndSize.PYTHON313 ref: 00007FF8B7E095AF
PyErr_Format.PYTHON313 ref: 00007FF8B7E095CB

Strings

tls-unique, xrefs: 00007FF8B7E09531, 00007FF8B7E09554
'%s' channel binding type not implemented, xrefs: 00007FF8B7E095BE

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Bytes_Err_FormatFromL_get_finishedL_get_peer_finishedL_session_reusedSizeStringstrcmp
String ID: '%s' channel binding type not implemented$tls-unique
API String ID: 797867279-2744131590
Opcode ID: ee9e15b96943c7916e8f0ad5ead5c3aaec6d7d01e4147b308fbed52906bf8837
Instruction ID: 35bab8a88212d61449dbe0ecf47a463341e172bde6cefde1ddf8bc1bf1e1cc3c
Opcode Fuzzy Hash: ee9e15b96943c7916e8f0ad5ead5c3aaec6d7d01e4147b308fbed52906bf8837
Instruction Fuzzy Hash: 37113A61B08B4285FA64AB1EE85637E22A0BF88FC4F844435CB4E87A74DE2CE5448750

Function 00007FF8B7E06D74 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON313(?,?,?,?,?,00007FF8B7E06D05), ref: 00007FF8B7E06D9A
PyType_GetModule.PYTHON313(?,?,?,?,?,00007FF8B7E06D05), ref: 00007FF8B7E06DB2
PyModule_GetState.PYTHON313(?,?,?,?,?,00007FF8B7E06D05), ref: 00007FF8B7E06DC0
PyErr_SetString.PYTHON313(?,?,?,?,?,00007FF8B7E06D05), ref: 00007FF8B7E06DD1
BIO_write.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E06D05), ref: 00007FF8B7E06DE4
PyType_GetModuleState.PYTHON313(?,?,?,?,?,00007FF8B7E06D05), ref: 00007FF8B7E06DF2

Part of subcall function 00007FF8B7E06750: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B7E06768
Part of subcall function 00007FF8B7E06750: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E06791

Strings

string longer than %d bytes, xrefs: 00007FF8B7E06D90
cannot write() after write_eof(), xrefs: 00007FF8B7E06DC6

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_ModuleStateType_$FormatModule_O_writeR_clear_errorR_peek_last_errorString
String ID: cannot write() after write_eof()$string longer than %d bytes
API String ID: 11717643-118187971
Opcode ID: 7383a569a927ec0fd75ff4892b50f4ef25a5d6a4e82b8539fc613e6a65e1470f
Instruction ID: 208d8adeb9ef0d677f5ac31c6432d4f5cfa530ba3ce36c3ae8971d47289f0148
Opcode Fuzzy Hash: 7383a569a927ec0fd75ff4892b50f4ef25a5d6a4e82b8539fc613e6a65e1470f
Instruction Fuzzy Hash: DC112865B18B0286EB54AB29D85623D23A0FF84FC8B544835CA1E8B6B0DF3CE496C700

Function 00007FF8B7E07174 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON313(?,?,00000000,00007FF8B7E07149), ref: 00007FF8B7E071A1
PyMem_Free.PYTHON313(?,?,00000000,00007FF8B7E07149), ref: 00007FF8B7E071AF
PyMem_Malloc.PYTHON313(?,?,00000000,00007FF8B7E07149), ref: 00007FF8B7E071B9
PyErr_NoMemory.PYTHON313(?,?,00000000,00007FF8B7E07149), ref: 00007FF8B7E071C8

Strings

protocols longer than %u bytes, xrefs: 00007FF8B7E07197

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_Mem_$FormatFreeMallocMemory
String ID: protocols longer than %u bytes
API String ID: 2903777688-895981740
Opcode ID: b16d67ea3c75b465b145a698c229f6f9d2ae3835ff07915fd07fac16a807e4e1
Instruction ID: f6328e972708ff5b4bf42dd298dc5792740ce64e0cb84e7d4e5b6dd574ce305e
Opcode Fuzzy Hash: b16d67ea3c75b465b145a698c229f6f9d2ae3835ff07915fd07fac16a807e4e1
Instruction Fuzzy Hash: 8911D4A5A08B4296EB58AB2EE88602C2370FF88FD4B545535CF1E577B4DF3CE4A48750

Function 00007FF8B7E09D98 Relevance: 13.6, APIs: 9, Instructions: 78COMMON

Download Yara Rule

APIs

SSL_get_ciphers.LIBSSL-3 ref: 00007FF8B7E09DBD
SSL_get_client_ciphers.LIBSSL-3 ref: 00007FF8B7E09DD3
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B7E09DE8
PyList_New.PYTHON313 ref: 00007FF8B7E09DF1
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B7E09E06
OPENSSL_sk_value.LIBCRYPTO-3 ref: 00007FF8B7E09E18
OPENSSL_sk_find.LIBCRYPTO-3 ref: 00007FF8B7E09E27
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B7E09E51
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E09E75

Part of subcall function 00007FF8B7E0B710: PyTuple_New.PYTHON313 ref: 00007FF8B7E0B722
Part of subcall function 00007FF8B7E0B710: SSL_CIPHER_get_name.LIBSSL-3 ref: 00007FF8B7E0B737
Part of subcall function 00007FF8B7E0B710: SSL_CIPHER_get_version.LIBSSL-3 ref: 00007FF8B7E0B769
Part of subcall function 00007FF8B7E0B710: SSL_CIPHER_get_bits.LIBSSL-3 ref: 00007FF8B7E0B79D
Part of subcall function 00007FF8B7E0B710: PyLong_FromLong.PYTHON313 ref: 00007FF8B7E0B7A5

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: L_sk_num$DeallocFromL_get_ciphersL_get_client_ciphersL_sk_findL_sk_valueList_LongLong_R_get_bitsR_get_nameR_get_versionTuple_
String ID:
API String ID: 1361062010-0
Opcode ID: 4f2b3bef921491daf3ea2ab79f14d545e63694236941bf4e1b89b9a0533f4308
Instruction ID: a345d94011c16ca8eac10e839c818883b8f947aff9bd111f64ed1f1c381c9ed7
Opcode Fuzzy Hash: 4f2b3bef921491daf3ea2ab79f14d545e63694236941bf4e1b89b9a0533f4308
Instruction Fuzzy Hash: 3E213321A0DB4685FA55AF6AA95613D76D0BF44FD5F080834DF0F867B4EE3CE8468340

Function 00007FF8B7E079DC Relevance: 13.6, APIs: 9, Instructions: 70COMMON

Download Yara Rule

APIs

SSL_new.LIBSSL-3 ref: 00007FF8B7E079FF
SSL_get_ciphers.LIBSSL-3 ref: 00007FF8B7E07A2B
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B7E07A37
PyList_New.PYTHON313 ref: 00007FF8B7E07A40
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B7E07A53
OPENSSL_sk_value.LIBCRYPTO-3 ref: 00007FF8B7E07A65
OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B7E07A8C
SSL_free.LIBSSL-3 ref: 00007FF8B7E07AB0

Part of subcall function 00007FF8B7E06750: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B7E06768
Part of subcall function 00007FF8B7E06750: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E06791

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: L_sk_num$L_freeL_get_ciphersL_newL_sk_valueList_R_clear_errorR_peek_last_error
String ID:
API String ID: 722909353-0
Opcode ID: 8396214c4882a56f0fae0f7fc67bfd013babba7491e12d419a084fc45d29b7b4
Instruction ID: 934359976537b892db85760a510c35462421439618a76867cfcc8663925e070c
Opcode Fuzzy Hash: 8396214c4882a56f0fae0f7fc67bfd013babba7491e12d419a084fc45d29b7b4
Instruction Fuzzy Hash: 46214F21B097428AFE15AF6EA85613D63A0BF88FC1B084834DF4E56775EF3CE5568310

Function 00007FF8A92D5ABF Relevance: 13.6, APIs: 9, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_clear_flags.LIBCRYPTO-3 ref: 00007FF8A92D5AC7
BIO_set_retry_reason.LIBCRYPTO-3 ref: 00007FF8A92D5AD1
BIO_set_flags.LIBCRYPTO-3 ref: 00007FF8A92D5B0A
BIO_get_retry_reason.LIBCRYPTO-3 ref: 00007FF8A92D5B12
BIO_set_retry_reason.LIBCRYPTO-3 ref: 00007FF8A92D5B1C
BIO_set_flags.LIBCRYPTO-3 ref: 00007FF8A92D5B2E
BIO_set_retry_reason.LIBCRYPTO-3 ref: 00007FF8A92D5B3B
BIO_set_flags.LIBCRYPTO-3 ref: 00007FF8A92D5B4A
BIO_set_flags.LIBCRYPTO-3 ref: 00007FF8A92D5B59

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: O_set_flags$O_set_retry_reason$O_clear_flagsO_get_retry_reason
String ID:
API String ID: 3610643084-0
Opcode ID: f6b81cbf8220b2ab67591474301552fc9071b4d620fcc6b57090c5d5907f3a51
Instruction ID: 778a6604140dcae341e6dd81adf08f98413cefb30f8beaa3377d472d5009aef2
Opcode Fuzzy Hash: f6b81cbf8220b2ab67591474301552fc9071b4d620fcc6b57090c5d5907f3a51
Instruction Fuzzy Hash: DA117915F0E48263FA18AE26102267E42A5CFC2BD1F105431D96ACBBCFCDECF643060A

Function 00007FF8A931E9D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A92D1307: OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8A933E1EC

OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8A931EA02
ERR_new.LIBCRYPTO-3 ref: 00007FF8A931EA5D
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A931EA75
ERR_new.LIBCRYPTO-3 ref: 00007FF8A931EAB7
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A931EACF

Part of subcall function 00007FF8A92D163B: ERR_new.LIBCRYPTO-3 ref: 00007FF8A933DD5D
Part of subcall function 00007FF8A92D163B: ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A933DD75

Strings

tls_construct_certificate_authorities, xrefs: 00007FF8A931EA62, 00007FF8A931EABC
..\s\ssl\statem\extensions.c, xrefs: 00007FF8A931EA6E, 00007FF8A931EAC8

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug$L_sk_num
String ID: ..\s\ssl\statem\extensions.c$tls_construct_certificate_authorities
API String ID: 2899912155-903051733
Opcode ID: 76d98890604127e7ecc2d5f884e7f8f741c35995e0341fa4c29aeb5bc96f2245
Instruction ID: 027c3891550e029ad393e56a53bf40009a47dcf1947aacfde396e3f8a80dfca1
Opcode Fuzzy Hash: 76d98890604127e7ecc2d5f884e7f8f741c35995e0341fa4c29aeb5bc96f2245
Instruction Fuzzy Hash: 1521A410B1EAC251FA94AB12B5516BA52A4EF847C4F582030EE1EC7FDBDE6CE5418700

Function 00007FF8B7E0702C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

PyType_GetModuleByDef.PYTHON313 ref: 00007FF8B7E07052
PyModule_GetState.PYTHON313 ref: 00007FF8B7E0705B
_PyArg_NoKeywords.PYTHON313 ref: 00007FF8B7E07088
_PyArg_CheckPositional.PYTHON313 ref: 00007FF8B7E070AB
PyLong_AsInt.PYTHON313 ref: 00007FF8B7E070B9
PyErr_Occurred.PYTHON313 ref: 00007FF8B7E070C6

Strings

_SSLContext, xrefs: 00007FF8B7E07081, 00007FF8B7E070A4

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Arg_$CheckErr_KeywordsLong_ModuleModule_OccurredPositionalStateType_
String ID: _SSLContext
API String ID: 3264916389-1468230856
Opcode ID: 987a8b73833f867488729d6e38bb227978c0df7791cda1cd7699adc4e07a767e
Instruction ID: 6b7251921105186220fcfc53026e24600366b33a56060663a53fc8bed60b9ab0
Opcode Fuzzy Hash: 987a8b73833f867488729d6e38bb227978c0df7791cda1cd7699adc4e07a767e
Instruction Fuzzy Hash: 63217F21B09B4285EE549B2AEC8217E63A1BF48FD4F588531DB4D57BB8DE7DE891C300

Function 00007FF8B7E0B1CC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

BIO_s_mem.LIBCRYPTO-3 ref: 00007FF8B7E0B1E6
BIO_new.LIBCRYPTO-3 ref: 00007FF8B7E0B1EF
PyErr_SetString.PYTHON313 ref: 00007FF8B7E0B210
X509_NAME_print_ex.LIBCRYPTO-3 ref: 00007FF8B7E0B229
BIO_free.LIBCRYPTO-3 ref: 00007FF8B7E0B25F

Strings

strict, xrefs: 00007FF8B7E0B24A
failed to allocate BIO, xrefs: 00007FF8B7E0B206

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: E_print_exErr_O_freeO_newO_s_memStringX509_
String ID: failed to allocate BIO$strict
API String ID: 220268057-2811890329
Opcode ID: 45d9a39df6a1ebb40e44180eac2f81db80ffa4c90534aa3307a75c1a238b5011
Instruction ID: 4d38df0defbed1a16a9675f1284744394ec040b0b4fa18ceec0b48c74ca69530
Opcode Fuzzy Hash: 45d9a39df6a1ebb40e44180eac2f81db80ffa4c90534aa3307a75c1a238b5011
Instruction Fuzzy Hash: BA112121B08B9285F654AB2ABC0616EA361BF89FC4F448435DF4D47B35EE7CE0458700

Function 00007FF8A92F5AC0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8A92F5AE3
OPENSSL_sk_value.LIBCRYPTO-3 ref: 00007FF8A92F5AF5
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92F5B0D
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92F5B25
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92F5B37

Strings

ct_strict, xrefs: 00007FF8A92F5B12
..\s\ssl\ssl_lib.c, xrefs: 00007FF8A92F5B1E

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: L_sk_numL_sk_valueR_newR_set_debugR_set_error
String ID: ..\s\ssl\ssl_lib.c$ct_strict
API String ID: 2392307641-4060112342
Opcode ID: 6031cf25cc38d85908bdfe31546cc7f1a8a3e5b5b3b0380283bcde6e35d55d99
Instruction ID: 4d32ad95a8a72984f1f2fb1b8fedcdeeaba7dc2e7421d81b366937a1bf6defb4
Opcode Fuzzy Hash: 6031cf25cc38d85908bdfe31546cc7f1a8a3e5b5b3b0380283bcde6e35d55d99
Instruction Fuzzy Hash: 2F01D625F0EAC261F7849F25E5816BA51A0EFC47C0F946031E92DC3B9EDE6CE8514700

Function 00007FF8B7E022C8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

OBJ_obj2nid.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E022A6), ref: 00007FF8B7E022EA
OBJ_nid2sn.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E022A6), ref: 00007FF8B7E022FC
OBJ_nid2ln.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E022A6), ref: 00007FF8B7E02307

Part of subcall function 00007FF8B7E02358: OBJ_obj2txt.LIBCRYPTO-3 ref: 00007FF8B7E0239D
Part of subcall function 00007FF8B7E02358: PyUnicode_FromStringAndSize.PYTHON313 ref: 00007FF8B7E023C3

Py_BuildValue.PYTHON313(?,?,?,?,?,00007FF8B7E022A6), ref: 00007FF8B7E02335
PyErr_Format.PYTHON313(?,?,?,?,?,00007FF8B7E022A6), ref: 00007FF8B7E03B9D

Strings

Unknown object, xrefs: 00007FF8B7E03B93
issN, xrefs: 00007FF8B7E0232C

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: BuildErr_FormatFromJ_nid2lnJ_nid2snJ_obj2nidJ_obj2txtSizeStringUnicode_Value
String ID: Unknown object$issN
API String ID: 2277031989-847857892
Opcode ID: 42d544a5f2839ee0200b4fe2f75c4c601cb5a853b30f8e01e6d47e3f2ee2f612
Instruction ID: 62523f151b2a9f687384169fb07c874b4777e67bd8387b919dab47f56d654558
Opcode Fuzzy Hash: 42d544a5f2839ee0200b4fe2f75c4c601cb5a853b30f8e01e6d47e3f2ee2f612
Instruction Fuzzy Hash: BE116925B08B5286EA10AB2AE80606DB7A4FF88FC0B884435DF4E87B74DF3CE545C704

Function 00007FF8A92D1A5A Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

d2i_PrivateKey_ex.LIBCRYPTO-3 ref: 00007FF8A92F9976
ERR_new.LIBCRYPTO-3 ref: 00007FF8A92F9983
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92F999B
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92F99AD
EVP_PKEY_free.LIBCRYPTO-3 ref: 00007FF8A92F99D3

Strings

SSL_CTX_use_PrivateKey_ASN1, xrefs: 00007FF8A92F9988
..\s\ssl\ssl_rsa.c, xrefs: 00007FF8A92F9994

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: Key_exPrivateR_newR_set_debugR_set_errorY_freed2i_
String ID: ..\s\ssl\ssl_rsa.c$SSL_CTX_use_PrivateKey_ASN1
API String ID: 3030233885-1502814970
Opcode ID: 38bb77356b2974a16d7b2ef52eff4fc0f7fab81fa5716d4441f746cc73720379
Instruction ID: 5aec6be6230004cb34965d9648a0ab10cf07ed5ddaf0486a320d98de5f4c7c9c
Opcode Fuzzy Hash: 38bb77356b2974a16d7b2ef52eff4fc0f7fab81fa5716d4441f746cc73720379
Instruction Fuzzy Hash: E4018861B0EEC191EB40EF19E5412AA93F0EFC87C4F554031EA5C87B9ADE3CD5504A00

Function 00007FF8B7E0B044 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON313(?,?,00000000,00007FF8B7E0B02D), ref: 00007FF8B7E0B06D
OBJ_nid2obj.LIBCRYPTO-3(?,?,00000000,00007FF8B7E0B02D), ref: 00007FF8B7E0B079
PyErr_Format.PYTHON313(?,?,00000000,00007FF8B7E0B02D), ref: 00007FF8B7E0B09B
PyModule_GetState.PYTHON313(?,?,00000000,00007FF8B7E0B02D), ref: 00007FF8B7E0B0A6

Part of subcall function 00007FF8B7E022C8: OBJ_obj2nid.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E022A6), ref: 00007FF8B7E022EA
Part of subcall function 00007FF8B7E022C8: OBJ_nid2sn.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E022A6), ref: 00007FF8B7E022FC
Part of subcall function 00007FF8B7E022C8: OBJ_nid2ln.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E022A6), ref: 00007FF8B7E02307
Part of subcall function 00007FF8B7E022C8: Py_BuildValue.PYTHON313(?,?,?,?,?,00007FF8B7E022A6), ref: 00007FF8B7E02335

ASN1_OBJECT_free.LIBCRYPTO-3(?,?,00000000,00007FF8B7E0B02D), ref: 00007FF8B7E0B0BD

Strings

NID must be positive., xrefs: 00007FF8B7E0B063
unknown NID %i, xrefs: 00007FF8B7E0B08E

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_$BuildFormatJ_nid2lnJ_nid2objJ_nid2snJ_obj2nidModule_StateStringT_freeValue
String ID: NID must be positive.$unknown NID %i
API String ID: 1079357630-2656559464
Opcode ID: d8c9c2db7b88e3514f31857551da2f2394f72a9ee13964bb6130a15aada5b37e
Instruction ID: 647fe7404b17d7d158a4b58f9131f28e47eccb922d428221e20cf7bb25cb59b6
Opcode Fuzzy Hash: d8c9c2db7b88e3514f31857551da2f2394f72a9ee13964bb6130a15aada5b37e
Instruction Fuzzy Hash: 98014824B08B43C6FA18AB6AE89213D63A1BF88FD4B448534DB0E47B74EF2CE4458700

Function 00007FF8B7E06AC8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

BIO_s_mem.LIBCRYPTO-3(?,?,00000000,00007FF8B7E06AA0), ref: 00007FF8B7E06AD5
BIO_new.LIBCRYPTO-3(?,?,00000000,00007FF8B7E06AA0), ref: 00007FF8B7E06ADE
PyErr_SetString.PYTHON313(?,?,00000000,00007FF8B7E06AA0), ref: 00007FF8B7E06AFD
BIO_set_flags.LIBCRYPTO-3(?,?,00000000,00007FF8B7E06AA0), ref: 00007FF8B7E06B0F
BIO_ctrl.LIBCRYPTO-3(?,?,00000000,00007FF8B7E06AA0), ref: 00007FF8B7E06B24
BIO_free.LIBCRYPTO-3(?,?,00000000,00007FF8B7E06AA0), ref: 00007FF8B7E06B3D

Strings

failed to allocate BIO, xrefs: 00007FF8B7E06AF3

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_O_ctrlO_freeO_newO_s_memO_set_flagsString
String ID: failed to allocate BIO
API String ID: 68942223-3472608418
Opcode ID: c6033ec318cdf6af549f8bf24f9750b080f66e7010b115b7e21bf31243622685
Instruction ID: f6f326bbf8a3410d4b7095e9afb8a2ba696ae8085883b0400c38ada2c383966a
Opcode Fuzzy Hash: c6033ec318cdf6af549f8bf24f9750b080f66e7010b115b7e21bf31243622685
Instruction Fuzzy Hash: F5010C61A08B4286FA18AB69F95523D67A1EF89FD5F545134CA1F07770EF3CE4448700

Function 00007FF8A92F6940 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

OPENSSL_sk_new_null.LIBCRYPTO-3(?,00007FF8A92F02C1), ref: 00007FF8A92F6984
OPENSSL_sk_num.LIBCRYPTO-3(?,00007FF8A92F02C1), ref: 00007FF8A92F699B
OPENSSL_sk_value.LIBCRYPTO-3(?,00007FF8A92F02C1), ref: 00007FF8A92F69A9
X509_NAME_dup.LIBCRYPTO-3(?,00007FF8A92F02C1), ref: 00007FF8A92F69B1
OPENSSL_sk_num.LIBCRYPTO-3(?,00007FF8A92F02C1), ref: 00007FF8A92F69D5

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: L_sk_num$E_dupL_sk_new_nullL_sk_valueX509_
String ID:
API String ID: 3273602126-0
Opcode ID: 881ac52d8e42a3e634f706a0947f41ac1587dba43d80824104df64d6d3a7b18e
Instruction ID: 5b85b6c0e80dc8c7ac4f4390601ef9cb4e0a03dcae12856812a9d2bf4096ca75
Opcode Fuzzy Hash: 881ac52d8e42a3e634f706a0947f41ac1587dba43d80824104df64d6d3a7b18e
Instruction Fuzzy Hash: 56216D21B0EAC2A5FF549F66A54117A52E0EF88BC4F485034EE6EC7B9EDE6DF4118700

Function 00007FF8B7E0B7DC Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0B807
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0B824
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0B841
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0B85E
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0B87B
PyEval_SaveThread.PYTHON313 ref: 00007FF8B7E0B887
BIO_free_all.LIBCRYPTO-3 ref: 00007FF8B7E0B894
PyEval_RestoreThread.PYTHON313 ref: 00007FF8B7E0B89D

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Dealloc$Eval_Thread$O_free_allRestoreSave
String ID:
API String ID: 86175192-0
Opcode ID: a526db3d70cb72d2e47159ba5ba1d0892e5bea49cd84f23f6d0ad84e29bbc077
Instruction ID: 5321416287bc39d053ecbb30ef741336467de92c9b797bc1ec2f90be2e64b36b
Opcode Fuzzy Hash: a526db3d70cb72d2e47159ba5ba1d0892e5bea49cd84f23f6d0ad84e29bbc077
Instruction Fuzzy Hash: A031E936E0AB5287EA599F69A95503C73B5FF48F90B184438DB094AA70CF3DA462C360

Function 00007FF8B7E0B710 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

PyTuple_New.PYTHON313 ref: 00007FF8B7E0B722
SSL_CIPHER_get_name.LIBSSL-3 ref: 00007FF8B7E0B737
PyUnicode_FromString.PYTHON313 ref: 00007FF8B7E0B757
SSL_CIPHER_get_version.LIBSSL-3 ref: 00007FF8B7E0B769
PyUnicode_FromString.PYTHON313 ref: 00007FF8B7E0B789
SSL_CIPHER_get_bits.LIBSSL-3 ref: 00007FF8B7E0B79D
PyLong_FromLong.PYTHON313 ref: 00007FF8B7E0B7A5
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0B7C7

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: From$StringUnicode_$DeallocLongLong_R_get_bitsR_get_nameR_get_versionTuple_
String ID:
API String ID: 4201023408-0
Opcode ID: 92463eef1294cda53afe581ae51a2d528783200c8e0cbf85e32760b8a973adc4
Instruction ID: 176731da002713487ae397907a3d6b74ec41689c34af220acab6f9067d8e072b
Opcode Fuzzy Hash: 92463eef1294cda53afe581ae51a2d528783200c8e0cbf85e32760b8a973adc4
Instruction Fuzzy Hash: 3521AC35A0974286FE699F5DA95A23C22B6BF49FC5F0C4538CB0E473B4EE3CA4548700

Function 00007FF8B7E042F0 Relevance: 12.1, APIs: 8, Instructions: 54COMMON

Download Yara Rule

APIs

PyObject_GC_UnTrack.PYTHON313 ref: 00007FF8B7E04301
SSL_free.LIBSSL-3 ref: 00007FF8B7E04310
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0432A
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E04344
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0435E
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E04378
PyObject_GC_Del.PYTHON313 ref: 00007FF8B7E04381
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E04395

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Dealloc$Object_$L_freeTrack
String ID:
API String ID: 970091570-0
Opcode ID: cee24af58f0d0b4bd985d6a1c4317cc1ffa44846aa700be971282080e0d8bf44
Instruction ID: 36267414d6d2da35a27b86acfe541d9d306403b6766083d9fdedb2ba65290ed8
Opcode Fuzzy Hash: cee24af58f0d0b4bd985d6a1c4317cc1ffa44846aa700be971282080e0d8bf44
Instruction Fuzzy Hash: FF21B936D0A742C5FB59AF69965623C23A0FF46FD5F186431CB0A465B4CF3DE4818321

Function 00007FF8B7E07220 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

_PyArg_UnpackKeywords.PYTHON313 ref: 00007FF8B7E072BA
_PyArg_BadArgument.PYTHON313 ref: 00007FF8B7E07305

Part of subcall function 00007FF8B7E03CEC: PyType_IsSubtype.PYTHON313 ref: 00007FF8B7E03CF9

PyObject_IsTrue.PYTHON313 ref: 00007FF8B7E0733D

Strings

_wrap_bio, xrefs: 00007FF8B7E072FE
argument 'incoming', xrefs: 00007FF8B7E072F3
argument 'outgoing', xrefs: 00007FF8B7E07329

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Arg_$ArgumentKeywordsObject_SubtypeTrueType_Unpack
String ID: _wrap_bio$argument 'incoming'$argument 'outgoing'
API String ID: 2315463680-586963342
Opcode ID: f16ab456cd38f5ad4e5e1d9d77e012ea5d8894ad1d0d8a34b45dad66e948cfd1
Instruction ID: b52c5fdb30c8f21f7879ee6226cfc14371aa1b67b824a41f498e1d5fc1de311a
Opcode Fuzzy Hash: f16ab456cd38f5ad4e5e1d9d77e012ea5d8894ad1d0d8a34b45dad66e948cfd1
Instruction Fuzzy Hash: 7D416862A09B8282EE649B5AE84266D63A4FF48FD4F444536EF4C53B74DF3CE495C300

Function 00007FF8B7E02358 Relevance: 10.6, APIs: 7, Instructions: 91COMMON

Download Yara Rule

APIs

OBJ_obj2txt.LIBCRYPTO-3 ref: 00007FF8B7E0239D
PyUnicode_FromStringAndSize.PYTHON313 ref: 00007FF8B7E023C3
OBJ_obj2txt.LIBCRYPTO-3 ref: 00007FF8B7E03BD8
PyMem_Malloc.PYTHON313 ref: 00007FF8B7E03BE5
OBJ_obj2txt.LIBCRYPTO-3 ref: 00007FF8B7E03BFF

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: J_obj2txt$FromMallocMem_SizeStringUnicode_
String ID:
API String ID: 2822617359-0
Opcode ID: 4b66cf8f34b4ec287d5df60869aa4060487ddbc370fdbcf9b23daf6b9612fe67
Instruction ID: 2926c7e76e76fd63ee9422236060c5a6abf7bd88b53968267f909854d09b2905
Opcode Fuzzy Hash: 4b66cf8f34b4ec287d5df60869aa4060487ddbc370fdbcf9b23daf6b9612fe67
Instruction Fuzzy Hash: 7E31BE31B18B5386F7659B2AA8467BE2294AF88FC8F485435DF4E83774DE3CE5458700

Function 00007FF8B7E03E50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

SSL_SESSION_get_id.LIBSSL-3 ref: 00007FF8B7E03EA9
SSL_SESSION_get_id.LIBSSL-3 ref: 00007FF8B7E03EBB
memcmp.VCRUNTIME140 ref: 00007FF8B7E03ED4
PyErr_BadArgument.PYTHON313 ref: 00007FF8B7E03EFF
_PyErr_BadInternalCall.PYTHON313 ref: 00007FF8B7E03F36

Strings

D:\a\1\s\Modules\_ssl.c, xrefs: 00007FF8B7E03F2F

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_N_get_id$ArgumentCallInternalmemcmp
String ID: D:\a\1\s\Modules\_ssl.c
API String ID: 2709062062-132925792
Opcode ID: b8178fd329d4b949bb896fb8753143e5c5483302065639016455fbc1ad47988c
Instruction ID: b5214383bab2cdc062f2c1e2b876ef6fc8241aeec05783cab4ad2b2f166730ce
Opcode Fuzzy Hash: b8178fd329d4b949bb896fb8753143e5c5483302065639016455fbc1ad47988c
Instruction Fuzzy Hash: AC312C21A0974389EEA89B5DD49607D62B0FF54FC0F544439DB1E47BB4DE2DE8A18308

Function 00007FF8B7E06BEC Relevance: 10.6, APIs: 7, Instructions: 58COMMON

Download Yara Rule

APIs

BIO_ctrl_pending.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E06BCB), ref: 00007FF8B7E06BFF
BIO_ctrl_pending.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E06BCB), ref: 00007FF8B7E06C13
PyBytes_FromStringAndSize.PYTHON313(?,?,?,?,?,00007FF8B7E06BCB), ref: 00007FF8B7E06C2A
BIO_read.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E06BCB), ref: 00007FF8B7E06C49
PyType_GetModuleState.PYTHON313(?,?,?,?,?,00007FF8B7E06BCB), ref: 00007FF8B7E06C57
_Py_Dealloc.PYTHON313(?,?,?,?,?,00007FF8B7E06BCB), ref: 00007FF8B7E06C70
_PyBytes_Resize.PYTHON313(?,?,?,?,?,00007FF8B7E06BCB), ref: 00007FF8B7E06C9B

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Bytes_O_ctrl_pending$DeallocFromModuleO_readResizeSizeStateStringType_
String ID:
API String ID: 3878297189-0
Opcode ID: b8848187f8b2f1b85bfc9c98403a3cf27bfc81129d9601d0a9d5ca3547265ef7
Instruction ID: e4fd5b2a87973bc466c66ac7473b958074b9affa8c96e44c04be487799d164cf
Opcode Fuzzy Hash: b8848187f8b2f1b85bfc9c98403a3cf27bfc81129d9601d0a9d5ca3547265ef7
Instruction Fuzzy Hash: 54211F31B09B4286EB14AB2AE58623D63A1FF88FC5F584835DB1E466B4DF7DE4458700

Function 00007FF8B7E08E20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON313(?,?,?,?,?,00007FF8B7E08E0D), ref: 00007FF8B7E08EAA
SSL_CTX_set_psk_client_callback.LIBSSL-3(?,?,?,?,?,00007FF8B7E08E0D), ref: 00007FF8B7E08EC9

Part of subcall function 00007FF8B7E06750: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B7E06768
Part of subcall function 00007FF8B7E06750: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E06791

Strings

Cannot add PSK client callback to a PROTOCOL_TLS_SERVER context, xrefs: 00007FF8B7E08E3F
callback must be callable, xrefs: 00007FF8B7E08E7D

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: DeallocR_clear_errorR_peek_last_errorX_set_psk_client_callback
String ID: Cannot add PSK client callback to a PROTOCOL_TLS_SERVER context$callback must be callable
API String ID: 2691713179-986965153
Opcode ID: e51830eb975dbc16f3a3c5cefdab1090143ffaac2c5bd252b6d9b27f1f336669
Instruction ID: 374e8c771f4433cc762b3c1afc8bb71758d91ddb6de084673e79508bf130e407
Opcode Fuzzy Hash: e51830eb975dbc16f3a3c5cefdab1090143ffaac2c5bd252b6d9b27f1f336669
Instruction Fuzzy Hash: E3210736A08B5286FA649B29E94617E63A1BF44FC4F044532DB0E97AB4DF7CE452C700

Function 00007FF8B7E0CBCC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

PyArg_Parse.PYTHON313 ref: 00007FF8B7E0CBF0
SSL_CTX_get0_param.LIBSSL-3 ref: 00007FF8B7E0CC03
X509_VERIFY_PARAM_get_flags.LIBCRYPTO-3 ref: 00007FF8B7E0CC0F
X509_VERIFY_PARAM_clear_flags.LIBCRYPTO-3 ref: 00007FF8B7E0CC2A
X509_VERIFY_PARAM_set_flags.LIBCRYPTO-3 ref: 00007FF8B7E0CC55

Strings

}, xrefs: 00007FF8B7E0CC5F

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: X509_$Arg_M_clear_flagsM_get_flagsM_set_flagsParseX_get0_param
String ID: }
API String ID: 1566575135-2784586233
Opcode ID: 34a11b25d548e90867ede705f9767b417e82e9383094fa6f29e7fc36470c5788
Instruction ID: abb9df938a53306696b47a30a650403295a0a8b647a3fe7a0f4366002f4aba7a
Opcode Fuzzy Hash: 34a11b25d548e90867ede705f9767b417e82e9383094fa6f29e7fc36470c5788
Instruction Fuzzy Hash: CB114C25B0874282F6149B6AE48617E67A0FF88FD4F045532DB5D86BB4DF3CE4458B04

Function 00007FF8B7E08CDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

PyUnicode_FSConverter.PYTHON313 ref: 00007FF8B7E08CF4
OBJ_sn2nid.LIBCRYPTO-3 ref: 00007FF8B7E08D0E
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E08D28
PyErr_Format.PYTHON313 ref: 00007FF8B7E08D49
SSL_CTX_ctrl.LIBSSL-3 ref: 00007FF8B7E08D63

Part of subcall function 00007FF8B7E06750: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B7E06768
Part of subcall function 00007FF8B7E06750: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E06791

Strings

unknown elliptic curve name %R, xrefs: 00007FF8B7E08D3C

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: ConverterDeallocErr_FormatJ_sn2nidR_clear_errorR_peek_last_errorUnicode_X_ctrl
String ID: unknown elliptic curve name %R
API String ID: 3792718242-553976147
Opcode ID: a703c665c8f8ce21f91ad89f2817d872757a906e0885293eda2e0432237a20a1
Instruction ID: 29e2c1be06f0eb5f1042d66422cfffb9683c84618027623002a2eb15cb567941
Opcode Fuzzy Hash: a703c665c8f8ce21f91ad89f2817d872757a906e0885293eda2e0432237a20a1
Instruction Fuzzy Hash: 68113A71A08B4686EB10AF2AE84627E6361FF98FC4F444531DB0E966B4DF3CE844CB00

Function 00007FF8B7E04A20 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON313 ref: 00007FF8B7E04A49
PyCallable_Check.PYTHON313 ref: 00007FF8B7E04A5F
SSL_CTX_set_msg_callback.LIBSSL-3 ref: 00007FF8B7E04A6F
PyErr_SetString.PYTHON313 ref: 00007FF8B7E04A86
SSL_CTX_set_msg_callback.LIBSSL-3 ref: 00007FF8B7E04AA9

Strings

not a callable object, xrefs: 00007FF8B7E04A7C

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: X_set_msg_callback$Callable_CheckDeallocErr_String
String ID: not a callable object
API String ID: 3435843511-3332612890
Opcode ID: 726cce102c6430d15162787b07e244a7bdfb8f3c5053df446ebc80e8e958edf4
Instruction ID: 7fdd974b992cf7eae32efbc67d208d2d040ced73b733ecaaa3f4867be47ebc96
Opcode Fuzzy Hash: 726cce102c6430d15162787b07e244a7bdfb8f3c5053df446ebc80e8e958edf4
Instruction Fuzzy Hash: C111EC31A0874286F7589F29EA4623C23A0FF8AFD4F045531DB1E866B4EF3CE8618314

Function 00007FF8A92D1AAA Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

EC_KEY_get0_group.LIBCRYPTO-3 ref: 00007FF8A93118FC
ERR_new.LIBCRYPTO-3 ref: 00007FF8A9311906
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A931191E
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A9311930

Strings

..\s\ssl\tls_depr.c, xrefs: 00007FF8A9311917
ssl_set_tmp_ecdh_groups, xrefs: 00007FF8A931190B

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debugR_set_errorY_get0_group
String ID: ..\s\ssl\tls_depr.c$ssl_set_tmp_ecdh_groups
API String ID: 2690379533-3926364423
Opcode ID: f026fd3b7d6decc57a9fb4661f801f4d989f77cecbd1486f1fef7e002a76a4ce
Instruction ID: 116e8443c24dbbf6eea7ab3470a99325a1fba39384c0c20f32a11047dab3fad1
Opcode Fuzzy Hash: f026fd3b7d6decc57a9fb4661f801f4d989f77cecbd1486f1fef7e002a76a4ce
Instruction Fuzzy Hash: A1018F11F1EAC261FA54AF65B9517FA52B1EF887C0F946031EA5CC7B97ED2CE8404B40

Function 00007FF8B7E0CDB0 Relevance: 10.5, APIs: 7, Instructions: 37COMMON

Download Yara Rule

APIs

X509_OBJECT_new.LIBCRYPTO-3 ref: 00007FF8B7E0CDBD
X509_OBJECT_get_type.LIBCRYPTO-3 ref: 00007FF8B7E0CDD2
X509_OBJECT_get0_X509_CRL.LIBCRYPTO-3 ref: 00007FF8B7E0CDE5
X509_OBJECT_set1_X509_CRL.LIBCRYPTO-3 ref: 00007FF8B7E0CDF1
X509_OBJECT_get0_X509.LIBCRYPTO-3 ref: 00007FF8B7E0CDFC
X509_OBJECT_set1_X509.LIBCRYPTO-3 ref: 00007FF8B7E0CE08
X509_OBJECT_free.LIBCRYPTO-3 ref: 00007FF8B7E0CE15

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: X509_$T_get0_T_set1_X509$T_freeT_get_typeT_new
String ID:
API String ID: 4176268728-0
Opcode ID: d20d661c90b5d7aba11b465249715b122b9e2e1b30cf635b5a95bcd50beb5894
Instruction ID: e09253113164106db975909c3421228cab7a15aa90c828243ed6a922b93caf7e
Opcode Fuzzy Hash: d20d661c90b5d7aba11b465249715b122b9e2e1b30cf635b5a95bcd50beb5894
Instruction Fuzzy Hash: FD013720A0C7038AFA686B2EA99A17D1661AF49FC1B185835CE0F867B4DE2CE4955300

Function 00007FF8B7E0C940 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

PyArg_Parse.PYTHON313 ref: 00007FF8B7E0C95B
PyErr_SetString.PYTHON313 ref: 00007FF8B7E0C984
SSL_CTX_set_num_tickets.LIBSSL-3 ref: 00007FF8B7E0C9A2

Strings

SSLContext is not a server context., xrefs: 00007FF8B7E0C992
value must be non-negative, xrefs: 00007FF8B7E0C973
failed to set num tickets., xrefs: 00007FF8B7E0C9AD

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Arg_Err_ParseStringX_set_num_tickets
String ID: SSLContext is not a server context.$failed to set num tickets.$value must be non-negative
API String ID: 2446201869-3995814857
Opcode ID: 55b14eddbc4ff875b45089a82414cdb84d8d4f6b79c6ec6c3059c3bb241df56c
Instruction ID: 6501b5b1999c1b5d52eba79e20ca3007d41f4b14eaef85e5e50e756f6c9f4ac7
Opcode Fuzzy Hash: 55b14eddbc4ff875b45089a82414cdb84d8d4f6b79c6ec6c3059c3bb241df56c
Instruction Fuzzy Hash: 4B01EC61A0870395FA649B6DE8961BD2371AF49FD0B945133DB1E466F4EF2CE484D700

Function 00007FF8B7E095F4 Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

SSL_get_peer_cert_chain.LIBSSL-3 ref: 00007FF8B7E09612
SSL_get1_peer_certificate.LIBSSL-3 ref: 00007FF8B7E0964F
PyList_Insert.PYTHON313 ref: 00007FF8B7E0969F
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E096B5

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: DeallocInsertL_get1_peer_certificateL_get_peer_cert_chainList_
String ID:
API String ID: 710524685-0
Opcode ID: 2a8a9efd57526c0bec9be7d550f67dea475114a1fb0f0e1ee01a7b6c31f10a96
Instruction ID: 6e9d8516505b2dd4cd4662184741e8918c33cb5a6b7d68ab7900dfcab4a3d557
Opcode Fuzzy Hash: 2a8a9efd57526c0bec9be7d550f67dea475114a1fb0f0e1ee01a7b6c31f10a96
Instruction Fuzzy Hash: 9F312D35A09B4286EB589F2AE55623D23A1AF49FD4F084530DB1E477B4EF3CE4518740

Function 00007FF8B7E04B18 Relevance: 9.1, APIs: 6, Instructions: 61COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-3 ref: 00007FF8B7E04B37
PyList_New.PYTHON313 ref: 00007FF8B7E04B43
OPENSSL_sk_value.LIBCRYPTO-3 ref: 00007FF8B7E04B5C
X509_up_ref.LIBCRYPTO-3 ref: 00007FF8B7E04B80
PyList_SetItem.PYTHON313 ref: 00007FF8B7E04B98
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E04BB7

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: List_$DeallocItemL_sk_numL_sk_valueX509_up_ref
String ID:
API String ID: 2540853196-0
Opcode ID: f02a2369d474250ce9433e7b8d8579a0e0b3a1ea88ec5edd4c1adcccd92609b7
Instruction ID: 91fe9614d4ea37d1d3e0bd31c8822f39a5677c44b104a27248d47df76bfb17ae
Opcode Fuzzy Hash: f02a2369d474250ce9433e7b8d8579a0e0b3a1ea88ec5edd4c1adcccd92609b7
Instruction Fuzzy Hash: 4011D322A09B4285EA199F6AAD4527D62D0BF8AFE4F044930DF2D463B0DF3CD4418750

Function 00007FF8B7E07488 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

_PyArg_UnpackKeywords.PYTHON313 ref: 00007FF8B7E0751F
_PyArg_BadArgument.PYTHON313 ref: 00007FF8B7E07565
PyObject_IsTrue.PYTHON313 ref: 00007FF8B7E07571

Strings

argument 'sock', xrefs: 00007FF8B7E0754C
_wrap_socket, xrefs: 00007FF8B7E07556

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Arg_$ArgumentKeywordsObject_TrueUnpack
String ID: _wrap_socket$argument 'sock'
API String ID: 2318005752-3343203394
Opcode ID: ae796939e2e30310eca4af33574f08729212d6943f6cd3f9311b7a6f2636a1dd
Instruction ID: 12945e4f00d5e98b346223d2fa2e61a934a85cd5656af6825927324e84ca3495
Opcode Fuzzy Hash: ae796939e2e30310eca4af33574f08729212d6943f6cd3f9311b7a6f2636a1dd
Instruction Fuzzy Hash: 54417722B08B5296EE619B1AA8426AE67A4FF08FD4F444436DF4C57BB4DF3CE495C700

Function 00007FF8B7E069FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

PyType_GetModuleByDef.PYTHON313 ref: 00007FF8B7E06A2B
PyModule_GetState.PYTHON313 ref: 00007FF8B7E06A34
_PyArg_NoPositional.PYTHON313 ref: 00007FF8B7E06A68
_PyArg_NoKeywords.PYTHON313 ref: 00007FF8B7E06A8E

Strings

MemoryBIO, xrefs: 00007FF8B7E06A61, 00007FF8B7E06A87

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Arg_$KeywordsModuleModule_PositionalStateType_
String ID: MemoryBIO
API String ID: 2980520244-1677681617
Opcode ID: ca18d1771a59ede004ed5e688188525dc8ca9f7a4255000161e133c28530aad8
Instruction ID: 92b7c3ce77b7806846336c48d6951c04ce75c115311727d6a7df152731692e50
Opcode Fuzzy Hash: ca18d1771a59ede004ed5e688188525dc8ca9f7a4255000161e133c28530aad8
Instruction Fuzzy Hash: 34211521A09B4285EA54AB1AE84227E67B4FF44FC4F488032DF4D47774EF7CE9A58300

Function 00007FF8B7E045D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8B7E03CEC: PyType_IsSubtype.PYTHON313 ref: 00007FF8B7E03CF9

_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0461B
SSL_set_SSL_CTX.LIBSSL-3 ref: 00007FF8B7E0462D
SSL_set_msg_callback.LIBSSL-3 ref: 00007FF8B7E0464F
PyErr_SetString.PYTHON313 ref: 00007FF8B7E0466A

Strings

The value must be a SSLContext, xrefs: 00007FF8B7E04660

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: DeallocErr_L_set_L_set_msg_callbackStringSubtypeType_
String ID: The value must be a SSLContext
API String ID: 40619448-677980480
Opcode ID: 1305fe11475873808bc867462c34bc72e04dd9ebe05a14b25f697de9632d2ea4
Instruction ID: d5e7579d60a03a1aa0da87657f0bdf3808f43b2e3c3ffb72676b9e37b0c87ffb
Opcode Fuzzy Hash: 1305fe11475873808bc867462c34bc72e04dd9ebe05a14b25f697de9632d2ea4
Instruction Fuzzy Hash: BE1126B6A08B4285EB149F2AEA8612D23A0FF8AFC8B104131CB4D87778DF3CD4548310

Function 00007FF8B7E02260 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

OBJ_txt2obj.LIBCRYPTO-3 ref: 00007FF8B7E02280
PyModule_GetState.PYTHON313 ref: 00007FF8B7E02295

Part of subcall function 00007FF8B7E022C8: OBJ_obj2nid.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E022A6), ref: 00007FF8B7E022EA
Part of subcall function 00007FF8B7E022C8: OBJ_nid2sn.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E022A6), ref: 00007FF8B7E022FC
Part of subcall function 00007FF8B7E022C8: OBJ_nid2ln.LIBCRYPTO-3(?,?,?,?,?,00007FF8B7E022A6), ref: 00007FF8B7E02307
Part of subcall function 00007FF8B7E022C8: Py_BuildValue.PYTHON313(?,?,?,?,?,00007FF8B7E022A6), ref: 00007FF8B7E02335

ASN1_OBJECT_free.LIBCRYPTO-3 ref: 00007FF8B7E022AC
PyErr_Format.PYTHON313 ref: 00007FF8B7E03B7E

Strings

unknown object '%.100s', xrefs: 00007FF8B7E03B71

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: BuildErr_FormatJ_nid2lnJ_nid2snJ_obj2nidJ_txt2objModule_StateT_freeValue
String ID: unknown object '%.100s'
API String ID: 3313133940-3113687063
Opcode ID: a3d5c27b3a59ceb3e9b76a6530f941593e8bf70ef6e0805ff994e8b2e3df9fe0
Instruction ID: 5bd231ee63ea2b6c381f4d826a28d3af8dd9343b15fb9912d29e0df368ce6918
Opcode Fuzzy Hash: a3d5c27b3a59ceb3e9b76a6530f941593e8bf70ef6e0805ff994e8b2e3df9fe0
Instruction Fuzzy Hash: 21F08C24B08B4282EE09EB6BB95503D62A1AF8CFC0B488434DF0E47B74DE2CE5418700

Function 00007FF8B7E0B390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

X509_get_subject_name.LIBCRYPTO-3 ref: 00007FF8B7E0B3AA
PyType_GetModuleState.PYTHON313 ref: 00007FF8B7E0B3B6

Part of subcall function 00007FF8B7E0B1CC: BIO_s_mem.LIBCRYPTO-3 ref: 00007FF8B7E0B1E6
Part of subcall function 00007FF8B7E0B1CC: BIO_new.LIBCRYPTO-3 ref: 00007FF8B7E0B1EF
Part of subcall function 00007FF8B7E0B1CC: PyErr_SetString.PYTHON313 ref: 00007FF8B7E0B210

PyUnicode_FromFormat.PYTHON313 ref: 00007FF8B7E0B3E1
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0B3F8

Strings

<%s '%U'>, xrefs: 00007FF8B7E0B3D3

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: DeallocErr_FormatFromModuleO_newO_s_memStateStringType_Unicode_X509_get_subject_name
String ID: <%s '%U'>
API String ID: 652521511-3496504151
Opcode ID: ac0ec37f53dc304a1c658a581da0e647366d60a2732bb4336fb4d754c58b5739
Instruction ID: 3ec1505c1e54ff8364d7665691bc3a3adb0b40c0fb69e7ed2840a679355bf018
Opcode Fuzzy Hash: ac0ec37f53dc304a1c658a581da0e647366d60a2732bb4336fb4d754c58b5739
Instruction Fuzzy Hash: 3C014B21A09B8281EA04AB1AED4612E63B1FF48FD4F584430DF0E07BB9DF3CE8818300

Function 00007FF8A92D1A00 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A92F2C52
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92F2C6A
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92F2C7C

Strings

SSL_peek, xrefs: 00007FF8A92F2C57
..\s\ssl\ssl_lib.c, xrefs: 00007FF8A92F2C63

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: ..\s\ssl\ssl_lib.c$SSL_peek
API String ID: 1552677711-1473178562
Opcode ID: 549a85a6a9ca516ca552cd83e4dd37cc7eedca88ab8cc295ff787cddf5c172ec
Instruction ID: 9485da3d7aed71c5d289a89f277bfc89ac5b7e7d98d1903c7d7662aafc145503
Opcode Fuzzy Hash: 549a85a6a9ca516ca552cd83e4dd37cc7eedca88ab8cc295ff787cddf5c172ec
Instruction Fuzzy Hash: 7BF08C20F0F9C2A2F604BB68C802AEA1160DF85380FD15170E22CC6AEBCE2DE5564A00

Function 00007FF8A92FAA00 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A92FAA12
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92FAA2A
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92FAA3C

Strings

..\s\ssl\ssl_rsa.c, xrefs: 00007FF8A92FAA23
SSL_use_PrivateKey, xrefs: 00007FF8A92FAA17

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: ..\s\ssl\ssl_rsa.c$SSL_use_PrivateKey
API String ID: 1552677711-3350344708
Opcode ID: 39aeeff93d880d088d74853257a303468bb6a027ed3e7ecd6526d0c7d711cfc0
Instruction ID: 0175133fc619df2629976374e305e16fb19ac0e6f4998dd67affecdeb9891e60
Opcode Fuzzy Hash: 39aeeff93d880d088d74853257a303468bb6a027ed3e7ecd6526d0c7d711cfc0
Instruction Fuzzy Hash: C3E09A84F1F9C2A2F648BB2888023F901E1EFC43C4F949030E61CC2A9AED2CE9565B00

Function 00007FF8A92EBAE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A92EBAED
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A92EBB05
ERR_set_error.LIBCRYPTO-3 ref: 00007FF8A92EBB17

Strings

ssl_undefined_function, xrefs: 00007FF8A92EBAF2
..\s\ssl\ssl_lib.c, xrefs: 00007FF8A92EBAFE

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debugR_set_error
String ID: ..\s\ssl\ssl_lib.c$ssl_undefined_function
API String ID: 1552677711-2204979087
Opcode ID: fa62eb7b6bdd85fb143c93fc1e3778cc4d93ca25408ae27ce5f80f185e636620
Instruction ID: 48e73564f45f789bf8ee5b7bfd8a92c934fdba5563b864c35f51934a77310bea
Opcode Fuzzy Hash: fa62eb7b6bdd85fb143c93fc1e3778cc4d93ca25408ae27ce5f80f185e636620
Instruction Fuzzy Hash: ACD01704F1E9C362F744BB64D8026EA42A0EFC2380FC06071E61CC2AE6DE2CF9465A10

Function 00007FF8B7E04418 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

SSL_get_session.LIBSSL-3 ref: 00007FF8B7E0442E

Part of subcall function 00007FF8B7E0B0D8: PyErr_SetString.PYTHON313(?,?,?,00007FF8B7E04441), ref: 00007FF8B7E0B1B4

SSL_get1_session.LIBSSL-3 ref: 00007FF8B7E0444E
_PyObject_GC_New.PYTHON313 ref: 00007FF8B7E04468
SSL_SESSION_free.LIBSSL-3 ref: 00007FF8B7E04479
PyObject_GC_Track.PYTHON313 ref: 00007FF8B7E04499

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Object_$Err_L_get1_sessionL_get_sessionN_freeStringTrack
String ID:
API String ID: 3192219654-0
Opcode ID: c861e7a7aadf731a572878395386c96f0e78622909d4b8640872e1e2514ec5eb
Instruction ID: 153328d14b67042add4f273eb060a3446fd8562e42540114ea3a363c144f23c7
Opcode Fuzzy Hash: c861e7a7aadf731a572878395386c96f0e78622909d4b8640872e1e2514ec5eb
Instruction Fuzzy Hash: 4411FB21A09B4282EB68DB1AE55613C23A4FF8AFD4B140434DF4E437B4DE3CE451C750

Function 00007FF8B7E03D44 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

PyObject_GC_UnTrack.PYTHON313 ref: 00007FF8B7E03D55
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E03D6F
SSL_SESSION_free.LIBSSL-3 ref: 00007FF8B7E03D7E
PyObject_GC_Del.PYTHON313 ref: 00007FF8B7E03D87
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E03D9B

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: DeallocObject_$N_freeTrack
String ID:
API String ID: 1683932209-0
Opcode ID: 5e3b974277e0d080a44ffef78fbe9adc2da57aa96480a0f92db5f8523df83b7b
Instruction ID: 48f4bcd824d4e54b96b3e7fac6c05f51017621591e3db42f85d2014a2b7565c1
Opcode Fuzzy Hash: 5e3b974277e0d080a44ffef78fbe9adc2da57aa96480a0f92db5f8523df83b7b
Instruction Fuzzy Hash: B9F0EC36A09B8286EA59AF69E94623C63B1FF45FD5F085434CB1A02674CF3DE4918305

Function 00007FF8A9330929 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A9330B24
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9330B3C

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A9330B35
ossl_statem_client13_write_transition, xrefs: 00007FF8A9330B2E

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ..\s\ssl\statem\statem_clnt.c$ossl_statem_client13_write_transition
API String ID: 193678381-2379272181
Opcode ID: 6b6ed7f3a678ecc75a7d747022675d142700c22842b4c3ad729f0346f2aae6d1
Instruction ID: 825e8e52cabb6d349f994d9353299f3c0115748c76d33cc90f3c1fc71138a197
Opcode Fuzzy Hash: 6b6ed7f3a678ecc75a7d747022675d142700c22842b4c3ad729f0346f2aae6d1
Instruction Fuzzy Hash: 0CF0B451F1E8C266F304AF55A891BFA57A4DF483C9F549030EA2DC6AA6DF6CE6438700

Function 00007FF8A92D1A87 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FF8A932AFAC
tls_construct_stoc_use_srtp, xrefs: 00007FF8A932AFA0

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID:
String ID: ..\s\ssl\statem\extensions_srvr.c$tls_construct_stoc_use_srtp
API String ID: 0-3251434361
Opcode ID: 84c188ee20a0f76bfa9c0c709dfe6b6ec2666fe4937065e7168e3bfb6fe92372
Instruction ID: bbc5bfcb49d90c8026604683a01aee5fc8b134665427de9ce7759d780cff5063
Opcode Fuzzy Hash: 84c188ee20a0f76bfa9c0c709dfe6b6ec2666fe4937065e7168e3bfb6fe92372
Instruction Fuzzy Hash: F6218350B1D98366F754AE12E9557BA1294DF847C4F485030FE1ECBAD7DE6DE8424700

Function 00007FF8A92D1910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A932D411
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A932D429

Strings

..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FF8A932D422
tls_parse_ctos_psk_kex_modes, xrefs: 00007FF8A932D416

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ..\s\ssl\statem\extensions_srvr.c$tls_parse_ctos_psk_kex_modes
API String ID: 193678381-1556962829
Opcode ID: 33604cd678edd1714455931c61e95bde2b8e51120d444036276197e49c314a78
Instruction ID: 3bf632e1ebd684d325637c9a55457950fa65429c9adfe86408715efffe5183ba
Opcode Fuzzy Hash: 33604cd678edd1714455931c61e95bde2b8e51120d444036276197e49c314a78
Instruction Fuzzy Hash: 2821F961E1EBD252F7145F21D4016B963E0EF657C4F246131DF5DC6686EF2CE6808A04

Function 00007FF8A92D1AF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A932A400
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A932A418

Strings

..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FF8A932A411
tls_construct_stoc_next_proto_neg, xrefs: 00007FF8A932A405

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ..\s\ssl\statem\extensions_srvr.c$tls_construct_stoc_next_proto_neg
API String ID: 193678381-2301358877
Opcode ID: b49246553786306b50dd6dc612e1d4f988b3be84251c60a258ac4ce42bf04a05
Instruction ID: ffafe09d5cb5577492bbf3cc6092902ff4e6929ee6a91285deb37cfaf4a8016a
Opcode Fuzzy Hash: b49246553786306b50dd6dc612e1d4f988b3be84251c60a258ac4ce42bf04a05
Instruction Fuzzy Hash: 3821B02170EA8252FB408F15E5047AB63A4EF857C8F180031DE1CCBBDADE2DE5418B00

Function 00007FF8A92D1AA5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A932A77C
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A932A794

Strings

..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FF8A932A78D
tls_construct_stoc_server_name, xrefs: 00007FF8A932A781

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ..\s\ssl\statem\extensions_srvr.c$tls_construct_stoc_server_name
API String ID: 193678381-1140354471
Opcode ID: 3a756125b3207988a74fb8d1924fecf43250ba1ea85abce27b618cecaadc4e08
Instruction ID: befbde1a824619015a71b8ec7173bbc9f4fbab27f5502c5b1b7bd553f7751a9a
Opcode Fuzzy Hash: 3a756125b3207988a74fb8d1924fecf43250ba1ea85abce27b618cecaadc4e08
Instruction Fuzzy Hash: 5511D651B0E9C262F7949F5AE5447B922B0DF987C8F185031EE1CC77D6DE2DD4828704

Function 00007FF8B7E0B280 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

PyUnicode_InternFromString.PYTHON313(?,?,00000000,00007FF8B7E0A90A), ref: 00007FF8B7E0B29B
PyUnicode_InternFromString.PYTHON313(?,?,00000000,00007FF8B7E0A90A), ref: 00007FF8B7E0B2C0

Strings

x509_asn, xrefs: 00007FF8B7E0B294
pkcs_7_asn, xrefs: 00007FF8B7E0B2B9

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: FromInternStringUnicode_
String ID: pkcs_7_asn$x509_asn
API String ID: 3337471625-3375957347
Opcode ID: 558d5d3a9ef559b9bb73cef6fa9e1e05407cb85e81fbae4b2e71b342289d17a6
Instruction ID: a198d6825e101a327c7a5af85a8d6877028e0d27e8dd4c06ca70277f84a27f9f
Opcode Fuzzy Hash: 558d5d3a9ef559b9bb73cef6fa9e1e05407cb85e81fbae4b2e71b342289d17a6
Instruction Fuzzy Hash: 5B11C931E1AB8786FA598B5DDCA223C22E5BF58FC0F140435CB0D467B0EE2DB855C614

Function 00007FF8B7E06B58 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON313 ref: 00007FF8B7E06B96
PyLong_AsInt.PYTHON313 ref: 00007FF8B7E06BA9
PyErr_Occurred.PYTHON313 ref: 00007FF8B7E06BB6

Strings

read, xrefs: 00007FF8B7E06B8F

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Arg_CheckErr_Long_OccurredPositional
String ID: read
API String ID: 3612027452-2555855207
Opcode ID: 306359e4f8596419864749e46a6279d9dcbf16e10bf7bab82334e129a622ebfc
Instruction ID: f9cd90979bd6a88b95a462510a0806f06df0510f25e7f92e48f1a4f5f2e4102b
Opcode Fuzzy Hash: 306359e4f8596419864749e46a6279d9dcbf16e10bf7bab82334e129a622ebfc
Instruction Fuzzy Hash: 92019671B04B5185E654AF2EA84216D67A4EF88FE0B584131DF1D877B5CF3DE441C700

Function 00007FF8A92D197E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A9331D05
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9331D1D

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A9331D16
ossl_statem_client_process_message, xrefs: 00007FF8A9331D0A

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ..\s\ssl\statem\statem_clnt.c$ossl_statem_client_process_message
API String ID: 193678381-2227591447
Opcode ID: 083bc0b3878b8df8ef9653f6ca2ddd825175a9e00182c5828b5fdfcc1ac445d3
Instruction ID: dbe46f457a2eff9728b5c6afbc5fd8176b532bba990c33e9d25df80e8fc4f530
Opcode Fuzzy Hash: 083bc0b3878b8df8ef9653f6ca2ddd825175a9e00182c5828b5fdfcc1ac445d3
Instruction Fuzzy Hash: F901A221B0DAC166E3009F55A8406BA6764EB887D4F588131EA1DC7BAACF2CE5428B40

Function 00007FF8B7E04BD8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B7E04BFA
PyUnicode_DecodeUTF8.PYTHON313 ref: 00007FF8B7E04C14
PyErr_SetString.PYTHON313 ref: 00007FF8B7E04C2D

Strings

Not a memory BIO, xrefs: 00007FF8B7E04C23

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: DecodeErr_O_ctrlStringUnicode_
String ID: Not a memory BIO
API String ID: 3520065620-587638661
Opcode ID: f1e569248959cc17e58cb0b44c7309055625ae041323eb1d6d1c9383251d7a75
Instruction ID: f79eed4928ed4dce1d7487e8d2df6d4eac1ce4b9ba6e959422f9bce72df08b20
Opcode Fuzzy Hash: f1e569248959cc17e58cb0b44c7309055625ae041323eb1d6d1c9383251d7a75
Instruction Fuzzy Hash: 81F09062A2974686FB54DB55E49677D2360FF8AFC0F044430EF0E46634DF2CE4488B00

Function 00007FF8B7E0A174 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

SSL_is_init_finished.LIBSSL-3 ref: 00007FF8B7E0A193
SSL_get_version.LIBSSL-3 ref: 00007FF8B7E0A1A1
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8B7E0A1B4

Strings

unknown, xrefs: 00007FF8B7E0A1AA

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: L_get_versionL_is_init_finishedstrcmp
String ID: unknown
API String ID: 1061301088-2904991687
Opcode ID: 04eff36e8d469e84f2ca1cf35a2ed1872a9e83a530f5f4b8b6950c01da9fa9a3
Instruction ID: fd423f4497cd3efbc1839f3347bdb3dc0f1262b153d9d64e4e6e1bd8c722101d
Opcode Fuzzy Hash: 04eff36e8d469e84f2ca1cf35a2ed1872a9e83a530f5f4b8b6950c01da9fa9a3
Instruction Fuzzy Hash: B0F0AC51F0970685FE599B6EA99617D1360EF58FC4B481435CF1E4A2B1EE1CE4918390

Function 00007FF8B7E04ABC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

BIO_ctrl.LIBCRYPTO-3 ref: 00007FF8B7E04ADA
PyBytes_FromStringAndSize.PYTHON313 ref: 00007FF8B7E04AF1
PyErr_SetString.PYTHON313 ref: 00007FF8B7E04B0A

Strings

Not a memory BIO, xrefs: 00007FF8B7E04B00

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: String$Bytes_Err_FromO_ctrlSize
String ID: Not a memory BIO
API String ID: 2349510700-587638661
Opcode ID: 614c871b5d69d04367f3485d5a2068cd9391e9c87421409b60ef2095a56860c2
Instruction ID: b119f801d08dde2a1ba5066fcc758e0586e2ec17cb22dcd5a3c633df1e92d209
Opcode Fuzzy Hash: 614c871b5d69d04367f3485d5a2068cd9391e9c87421409b60ef2095a56860c2
Instruction Fuzzy Hash: 08F05461A2974282EB54EB99E59677D2360FF89FC0F404131DB0E46534DF3CE4488B00

Function 00007FF8A9331AD2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A9331AD2
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9331AEB

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A9331AE4
tls_process_hello_req, xrefs: 00007FF8A9331AD8

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ..\s\ssl\statem\statem_clnt.c$tls_process_hello_req
API String ID: 193678381-485657334
Opcode ID: 85b2c7d74f8c13f43fbafbd6ff756a411239b8db682c816e6e91a5e471bc1a98
Instruction ID: dc76879deaeac0df25f3f4446b35e7650e6a6fdc9e7d612e3864fe561235ade5
Opcode Fuzzy Hash: 85b2c7d74f8c13f43fbafbd6ff756a411239b8db682c816e6e91a5e471bc1a98
Instruction Fuzzy Hash: 98E0E621B1D9C261F7409F17F8015A69365EBD47C0F891032DA1DD7F9B9E7CE5418B00

Function 00007FF8A93309F9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16COMMON

Download Yara Rule

APIs

ERR_new.LIBCRYPTO-3 ref: 00007FF8A93309FE
ERR_set_debug.LIBCRYPTO-3 ref: 00007FF8A9330B3C

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A9330B35
ossl_statem_client13_write_transition, xrefs: 00007FF8A9330B2E

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_newR_set_debug
String ID: ..\s\ssl\statem\statem_clnt.c$ossl_statem_client13_write_transition
API String ID: 193678381-2379272181
Opcode ID: d1418f55befd4cb8194a7d74475eb19e2d2ade963d13e12c9d424808c2afc6ab
Instruction ID: 52ac1ed4e09bc0ce51cc77d40109aeac637c4b2a496f9b7788a83f88abf69238
Opcode Fuzzy Hash: d1418f55befd4cb8194a7d74475eb19e2d2ade963d13e12c9d424808c2afc6ab
Instruction Fuzzy Hash: 2FE0C220F0EDC3B6F300AF61A851AFA22A0DF803C4F442031C52DCA986CF7CE5828B40

Function 00007FF8B7E044E4 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3b1b217dd87b9cdff0051c7a522b275c981540d18aa848822694e7bde4f8ad
Instruction ID: 5a09d95966125fed5c279489a93d10f37a2ce409111f0340fe240f55a10b9d84
Opcode Fuzzy Hash: 0c3b1b217dd87b9cdff0051c7a522b275c981540d18aa848822694e7bde4f8ad
Instruction Fuzzy Hash: 60219F22A1DB4586EB208B28E55636E63A0FF4ABD4F140635DF5D47BB4DF3CE4018A40

Function 00007FF8B7E09874 Relevance: 6.0, APIs: 4, Instructions: 40threadCOMMON

Download Yara Rule

APIs

PyEval_SaveThread.PYTHON313 ref: 00007FF8B7E09893
SSL_pending.LIBSSL-3 ref: 00007FF8B7E098A0

Part of subcall function 00007FF8B7E04C3C: WSAGetLastError.WS2_32 ref: 00007FF8B7E04C60
Part of subcall function 00007FF8B7E04C3C: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8B7E04C69
Part of subcall function 00007FF8B7E04C3C: SSL_get_error.LIBSSL-3 ref: 00007FF8B7E04C79

PyEval_RestoreThread.PYTHON313 ref: 00007FF8B7E098CE
PyLong_FromLong.PYTHON313 ref: 00007FF8B7E098F8

Part of subcall function 00007FF8B7E040A0: ERR_peek_last_error.LIBCRYPTO-3 ref: 00007FF8B7E040D3
Part of subcall function 00007FF8B7E040A0: ERR_clear_error.LIBCRYPTO-3 ref: 00007FF8B7E04290

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Eval_Thread$ErrorFromL_get_errorL_pendingLastLongLong_R_clear_errorR_peek_last_errorRestoreSave_errno
String ID:
API String ID: 1598009871-0
Opcode ID: 0b925e4de1628a0aa8a02a6ee33751e7265bea7ba4bde3468cdaf90fb960a081
Instruction ID: ac8e7c8e7fd34bd2893cdc5d4eb69e59a69abcdd7de2f1767ec34fa5d2db0c5d
Opcode Fuzzy Hash: 0b925e4de1628a0aa8a02a6ee33751e7265bea7ba4bde3468cdaf90fb960a081
Instruction Fuzzy Hash: 46011826A08B8987E620EF6AF44102EB770FF9ABC0B004535DB8A17B75DF3CE4518B00

Function 00007FF8B7E02F60 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF8B7E02F8C
GetCurrentThreadId.KERNEL32 ref: 00007FF8B7E02F9A
GetCurrentProcessId.KERNEL32 ref: 00007FF8B7E02FA6
QueryPerformanceCounter.KERNEL32 ref: 00007FF8B7E02FB6

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 76cc7d293dce52ac903e1c4f27db05cd87f84480e9050da05d46ae017720b8e1
Instruction ID: ab77bb7759e220672dac2b3c4e34c0eba5c7abb4b17e928d51248410c94c3c1e
Opcode Fuzzy Hash: 76cc7d293dce52ac903e1c4f27db05cd87f84480e9050da05d46ae017720b8e1
Instruction Fuzzy Hash: BF111822B14B058AEB009F64E8556AC33A4FB19B98F440E35EB6D867B8DF7CD1588340

Function 00007FF8A92F7910 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A92D2068: ENGINE_finish.LIBCRYPTO-3 ref: 00007FF8A9311AF2

ERR_set_mark.LIBCRYPTO-3 ref: 00007FF8A92F793C
OBJ_nid2sn.LIBCRYPTO-3 ref: 00007FF8A92F7943
EVP_MD_fetch.LIBCRYPTO-3 ref: 00007FF8A92F7951
ERR_pop_to_mark.LIBCRYPTO-3 ref: 00007FF8A92F7959

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: D_fetchE_finishJ_nid2snR_pop_to_markR_set_mark
String ID:
API String ID: 1050435054-0
Opcode ID: 71a8fe30544841901ec2cd813948a715ddddd375b3fccfefb1e4f0f014fa3cca
Instruction ID: 817bf21767774d962f7f3323a2a7ed1d0e01c69952351dcab7f6337a74b561d6
Opcode Fuzzy Hash: 71a8fe30544841901ec2cd813948a715ddddd375b3fccfefb1e4f0f014fa3cca
Instruction Fuzzy Hash: 4FF0A010F0EBC151FA446F6268411B985A4DF88FC1F489438FE6D87B8BDE6CE8124600

Function 00007FF8B7E0915C Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

SSL_get_current_compression.LIBSSL-3 ref: 00007FF8B7E0916B
COMP_get_type.LIBCRYPTO-3 ref: 00007FF8B7E0917C
COMP_get_type.LIBCRYPTO-3 ref: 00007FF8B7E09189
OBJ_nid2sn.LIBCRYPTO-3 ref: 00007FF8B7E09191

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: P_get_type$J_nid2snL_get_current_compression
String ID:
API String ID: 142675065-0
Opcode ID: 51ca6c13a2da8e7b379f815c49c805c9e0782a57b779b588ae312d20034b652a
Instruction ID: 450d5e9dfee6c29d624742d4383433f6fdb0c642bed4136dcfd67942096e4a23
Opcode Fuzzy Hash: 51ca6c13a2da8e7b379f815c49c805c9e0782a57b779b588ae312d20034b652a
Instruction Fuzzy Hash: 10F0A211F5AB4389FE5D6B6D685A13C12A0AF48FC5B191434CF0E0A3B0DE3DE8958650

Function 00007FF8B7E0B8BC Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

PyObject_GC_UnTrack.PYTHON313 ref: 00007FF8B7E0B8CD

Part of subcall function 00007FF8B7E0B7DC: _Py_Dealloc.PYTHON313 ref: 00007FF8B7E0B807
Part of subcall function 00007FF8B7E0B7DC: _Py_Dealloc.PYTHON313 ref: 00007FF8B7E0B824
Part of subcall function 00007FF8B7E0B7DC: _Py_Dealloc.PYTHON313 ref: 00007FF8B7E0B841
Part of subcall function 00007FF8B7E0B7DC: _Py_Dealloc.PYTHON313 ref: 00007FF8B7E0B85E
Part of subcall function 00007FF8B7E0B7DC: _Py_Dealloc.PYTHON313 ref: 00007FF8B7E0B87B
Part of subcall function 00007FF8B7E0B7DC: PyEval_SaveThread.PYTHON313 ref: 00007FF8B7E0B887
Part of subcall function 00007FF8B7E0B7DC: BIO_free_all.LIBCRYPTO-3 ref: 00007FF8B7E0B894
Part of subcall function 00007FF8B7E0B7DC: PyEval_RestoreThread.PYTHON313 ref: 00007FF8B7E0B89D

SSL_CTX_free.LIBSSL-3 ref: 00007FF8B7E0B8DF
PyMem_Free.PYTHON313 ref: 00007FF8B7E0B8E9
_Py_Dealloc.PYTHON313 ref: 00007FF8B7E0B90A

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Dealloc$Eval_Thread$FreeMem_O_free_allObject_RestoreSaveTrackX_free
String ID:
API String ID: 3459953665-0
Opcode ID: 72aff0f2359281f851c1275e4a4f1b48a4a4cbc0dad32b1459e0230223490c2b
Instruction ID: 2d13591aed914a1425d0d46a73d7fd1c578b5895bd61cd0e5042b61c42e84492
Opcode Fuzzy Hash: 72aff0f2359281f851c1275e4a4f1b48a4a4cbc0dad32b1459e0230223490c2b
Instruction Fuzzy Hash: D0F0A436A08B8685EB08AF2AE94A16C6361FF89FD5F485430DB4E06275CF3DD4958340

Function 00007FF8B7E04844 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

X509_STORE_lock.LIBCRYPTO-3 ref: 00007FF8B7E04851
X509_STORE_get0_objects.LIBCRYPTO-3 ref: 00007FF8B7E04862
OPENSSL_sk_deep_copy.LIBCRYPTO-3 ref: 00007FF8B7E04879
X509_STORE_unlock.LIBCRYPTO-3 ref: 00007FF8B7E04885

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: X509_$E_get0_objectsE_lockE_unlockL_sk_deep_copy
String ID:
API String ID: 1564091015-0
Opcode ID: 83532caa02f6acb35b1453e7cc456119fdfb91cd1ecb4dc9de09abdf9df6df6a
Instruction ID: d1520a20836b5c351330137e6b78804d199b57694cafd96c61f353f745c929fa
Opcode Fuzzy Hash: 83532caa02f6acb35b1453e7cc456119fdfb91cd1ecb4dc9de09abdf9df6df6a
Instruction Fuzzy Hash: 83F0E550F0874385FA186B6AB94647D5360AF5AFD4B144435DF1E47774EE3CE4848310

Function 00007FF8B7E073C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

PyArg_Parse.PYTHON313 ref: 00007FF8B7E07412
PyMem_Free.PYTHON313 ref: 00007FF8B7E07461

Strings

ascii, xrefs: 00007FF8B7E07404

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Arg_FreeMem_Parse
String ID: ascii
API String ID: 1432672584-3510295289
Opcode ID: 243e4b09a69d811b6d5c2e9971f28d01f14bfb2967ed676d6493a3d16c9a3df8
Instruction ID: 4daa517d124d3c4b51efdd5a03eb3e9b49a1b510b9714185d2ba48bb8d8b71d8
Opcode Fuzzy Hash: 243e4b09a69d811b6d5c2e9971f28d01f14bfb2967ed676d6493a3d16c9a3df8
Instruction Fuzzy Hash: 6811C636A08B8585EA509F1AA88156EB7A4FB88FC4F584136EF8D93B34DF3CD5558B00

Function 00007FF8B7E075EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

PyArg_Parse.PYTHON313 ref: 00007FF8B7E0762D
PyMem_Free.PYTHON313(?,?,?,?,?,?,?,?,00007FF8B7E075C4), ref: 00007FF8B7E0767B

Strings

ascii, xrefs: 00007FF8B7E0761F

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Arg_FreeMem_Parse
String ID: ascii
API String ID: 1432672584-3510295289
Opcode ID: 6091503b58361e88b5cad076098939bbf6f597b3578e50ef257c79a5a8d63a04
Instruction ID: 284093401f553f830419a240f6e0a3d8f9ef3847e8bd06f7315c757fdffa18b1
Opcode Fuzzy Hash: 6091503b58361e88b5cad076098939bbf6f597b3578e50ef257c79a5a8d63a04
Instruction Fuzzy Hash: 7E113625A18B9681EB508B5AF845B6AA3A4FF48FD4F140235EB8E47B38CF7CD4518B40

Function 00007FF8B7E09730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON313 ref: 00007FF8B7E0976D
PyObject_IsTrue.PYTHON313 ref: 00007FF8B7E09780

Strings

getpeercert, xrefs: 00007FF8B7E09766

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Arg_CheckObject_PositionalTrue
String ID: getpeercert
API String ID: 341638686-200429401
Opcode ID: a31f197caa86e27ec99a35df48cb99ec636af6543adc5f2850ac52fd4abccb1b
Instruction ID: f62594ea14bb5cdbf9002f2c656aa99dc5b8dc54371e669996638a0b0fa65cbf
Opcode Fuzzy Hash: a31f197caa86e27ec99a35df48cb99ec636af6543adc5f2850ac52fd4abccb1b
Instruction Fuzzy Hash: 80017C36B08B5189E750AF1AA88606EA6A4FF88FC0B4D5035DF4D97734CE3DE841C700

Function 00007FF8B7E0CC7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

PyArg_Parse.PYTHON313 ref: 00007FF8B7E0CC97
PyErr_SetString.PYTHON313 ref: 00007FF8B7E0CCC4

Part of subcall function 00007FF8B7E067A4: PyErr_SetString.PYTHON313 ref: 00007FF8B7E067C9

Strings

Cannot set verify_mode to CERT_NONE when check_hostname is enabled., xrefs: 00007FF8B7E0CCBA

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_String$Arg_Parse
String ID: Cannot set verify_mode to CERT_NONE when check_hostname is enabled.
API String ID: 226202181-288992553
Opcode ID: bb23373518cbbc069322045be8b322648747ae2c50f4ec2d13dc911802e38316
Instruction ID: 267e28f7b331ba867654b80bf2607d01b3e349129c23ac5059d3747c86c85154
Opcode Fuzzy Hash: bb23373518cbbc069322045be8b322648747ae2c50f4ec2d13dc911802e38316
Instruction Fuzzy Hash: B2F0B761E0870781FE699B2EE4861BD23A1AF94FD4B186236DB1E466F4DE3CE484C700

Function 00007FF8B7E0BE68 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SSL_CTX_get_verify_mode.LIBSSL-3 ref: 00007FF8B7E0BE75
PyErr_SetString.PYTHON313 ref: 00007FF8B7E0BE9D

Strings

invalid return value from SSL_CTX_get_verify_mode, xrefs: 00007FF8B7E0BE92

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_StringX_get_verify_mode
String ID: invalid return value from SSL_CTX_get_verify_mode
API String ID: 3939857436-2501269723
Opcode ID: 37755f1760e9c2ebd58fc1c0ff21f95e39aa076c3fd6608a9ad303eb35dd497f
Instruction ID: 2b047c9fe1d6e0611d385806ab680b04b42564837aed8533f0d117e9aba88a30
Opcode Fuzzy Hash: 37755f1760e9c2ebd58fc1c0ff21f95e39aa076c3fd6608a9ad303eb35dd497f
Instruction Fuzzy Hash: 7CF01C22A18A4A81EB699729DC9717D1371FF88F94F180436C71ECA2B0CE2CE8D3C300

Function 00007FF8B7E067A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON313 ref: 00007FF8B7E067C9
SSL_CTX_set_verify.LIBSSL-3 ref: 00007FF8B7E067E9

Strings

invalid value for verify_mode, xrefs: 00007FF8B7E067BF

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_StringX_set_verify
String ID: invalid value for verify_mode
API String ID: 4223523404-2668209411
Opcode ID: 6ea304071ca4d8d0a79c7e74895354ef27ed3270ac4b79d11357d5cbf65ca215
Instruction ID: 386be17b6805bf451e898876828047c3b832186b8f0d96c744f555dffd22ea5e
Opcode Fuzzy Hash: 6ea304071ca4d8d0a79c7e74895354ef27ed3270ac4b79d11357d5cbf65ca215
Instruction Fuzzy Hash: 5AF03024F1864782FA65972DC86A33D12A1BF88FD4FA44931DA0E866B4DE2DE5458700

Function 00007FF8A932F9F5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

ERR_set_debug.LIBCRYPTO-3(?,?,FFFFFFFF,00000000,00007FF8A932F416), ref: 00007FF8A932FA69

Strings

..\s\ssl\statem\statem.c, xrefs: 00007FF8A932FA62
write_state_machine, xrefs: 00007FF8A932FA5B

Memory Dump Source

Source File: 00000002.00000002.3279888631.00007FF8A92D1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FF8A92D0000, based on PE: true

Associated: 00000002.00000002.3279855447.00007FF8A92D0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3279888631.00007FF8A9353000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280014576.00007FF8A9355000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280055742.00007FF8A937D000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9382000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9388000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000002.00000002.3280091663.00007FF8A9390000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a92d0000_Creal.jbxd

Similarity

API ID: R_set_debug
String ID: ..\s\ssl\statem\statem.c$write_state_machine
API String ID: 488089507-552286378
Opcode ID: 22f28354a2e84bde54f5d5e158f90d27f7faab77a3525f3ec8db2e2e9c027129
Instruction ID: f185d045a81bdaee2f8fae986cf2bc76e604c4cbe293971322fb9f17ff6b0935
Opcode Fuzzy Hash: 22f28354a2e84bde54f5d5e158f90d27f7faab77a3525f3ec8db2e2e9c027129
Instruction Fuzzy Hash: DEF0A02260DAC295E342DF26B4107EE3B60FB89B94F595073CF4C83682CB39D686D740

Function 00007FF8B7E028A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON313 ref: 00007FF8B7E028AE
PyCapsule_Import.PYTHON313 ref: 00007FF8B7E028C3

Strings

_socket.CAPI, xrefs: 00007FF8B7E028B9

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Capsule_ImportModule_State
String ID: _socket.CAPI
API String ID: 2652237932-3774308389
Opcode ID: 3d62b8d2468dfab39306d07df9cfef2d2ecc97b624e4165042a5198267639c39
Instruction ID: 3bad4a5ca3899fbfa955101e1c7bf5ea6e2ce3b1bf8a3a313646d10c6d8e2083
Opcode Fuzzy Hash: 3d62b8d2468dfab39306d07df9cfef2d2ecc97b624e4165042a5198267639c39
Instruction Fuzzy Hash: A7E03035E0A70286FE159B6C985223822E4AF49F54B980134C61D8A3B4DE2DE591D310

Function 00007FF8B7E0CAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON313 ref: 00007FF8B7E0CAC3
PyObject_IsTrue.PYTHON313 ref: 00007FF8B7E0CAD1

Strings

cannot delete attribute, xrefs: 00007FF8B7E0CAB9

Memory Dump Source

Source File: 00000002.00000002.3285193660.00007FF8B7E01000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8B7E00000, based on PE: true

Associated: 00000002.00000002.3285169090.00007FF8B7E00000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285410156.00007FF8B7E0E000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285548802.00007FF8B7E21000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285615420.00007FF8B7E22000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285729035.00007FF8B7E28000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.3285813957.00007FF8B7E2A000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8b7e00000_Creal.jbxd

Similarity

API ID: Err_Object_StringTrue
String ID: cannot delete attribute
API String ID: 1323943456-1747274469
Opcode ID: 8c84c338d224894d3ed47382b29769635c97ffba318e277e14ad243b3d061bae
Instruction ID: b7bc5853d967248a0427e0a029c23c7dc2f3d1f493ec5fd37e07d65b90822c5f
Opcode Fuzzy Hash: 8c84c338d224894d3ed47382b29769635c97ffba318e277e14ad243b3d061bae
Instruction Fuzzy Hash: 18E01265E0460281EA68DB7D949607D2271AF44FE4B145F32CA2F865F4EE2C94958700

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Creal.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Creal Stealer

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_ARC4.pyd

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_Salsa20.pyd

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_chacha20.pyd

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_pkcs1_decode.pyd

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_aes.pyd

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_aesni.pyd

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_arc2.pyd

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_blowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_cast.pyd

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_cbc.pyd

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_cfb.pyd

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_ctr.pyd

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_des.pyd

C:\Users\user\AppData\Local\Temp\_MEI39642\Crypto\Cipher\_raw_des3.pyd

Windows Analysis Report
Creal.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre