Edit tour

Windows Analysis Report
Payload.exe

Overview

General Information

Sample name:	Payload.exe
Analysis ID:	1555217
MD5:	a0044986eec99f4b05358f1457be6ee8
SHA1:	bed5076d966b94c942487fd04e7074e861235ba2
SHA256:	24c7c6cc3124b20c717ac485e263193e351f0ab2e672b353b38688ba218bda9a
Infos:

Detection

Python Stealer, BLX Stealer, XLABB Grabber

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected BLX Stealer

Yara detected XLABB Grabber

Contains functionality to infect the boot sector

Drops PE files to the startup folder

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Python Stealer

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to query CPU information (cpuid)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Payload.exe (PID: 7028 cmdline: "C:\Users\user\Desktop\Payload.exe" MD5: A0044986EEC99F4B05358F1457BE6EE8)

Payload.exe (PID: 7372 cmdline: "C:\Users\user\Desktop\Payload.exe" MD5: A0044986EEC99F4B05358F1457BE6EE8)

cmd.exe (PID: 7412 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7548 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7592 cmdline: C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7656 cmdline: C:\Windows\System32\wbem\WMIC.exe csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

Payload.exe (PID: 7848 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe" MD5: A0044986EEC99F4B05358F1457BE6EE8)

Payload.exe (PID: 7884 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe" MD5: A0044986EEC99F4B05358F1457BE6EE8)

cmd.exe (PID: 7920 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8008 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8060 cmdline: C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 8120 cmdline: C:\Windows\System32\wbem\WMIC.exe csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_XLABBGrabber	Yara detected XLABB Grabber	Joe Security
00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BLXStealer	Yara detected BLX Stealer	Joe Security
00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_XLABBGrabber	Yara detected XLABB Grabber	Joe Security
00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BLXStealer	Yara detected BLX Stealer	Joe Security
Process Memory Space: Payload.exe PID: 7372	JoeSecurity_GenericPythonStealer	Yara detected Generic Python Stealer	Joe Security
Process Memory Space: Payload.exe PID: 7372	JoeSecurity_XLABBGrabber	Yara detected XLABB Grabber	Joe Security
Process Memory Space: Payload.exe PID: 7372	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Payload.exe PID: 7372	JoeSecurity_BLXStealer	Yara detected BLX Stealer	Joe Security
Process Memory Space: Payload.exe PID: 7884	JoeSecurity_XLABBGrabber	Yara detected XLABB Grabber	Joe Security
Process Memory Space: Payload.exe PID: 7884	JoeSecurity_BLXStealer	Yara detected BLX Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Payload.exe, ProcessId: 7372, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T15:46:04.571981+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.7	49737	TCP
2024-11-13T15:46:45.956971+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.7	51529	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Payload.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Payload.exe

ReversingLabs: Detection: 58%

Source: Payload.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1535857657.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptography_rust.pdbc source: Payload.exe, 00000008.00000002.2567377200.00007FFB0AE9A000.00000002.00000001.01000000.00000036.sdmp
Source:	Binary string: ucrtbase.pdb source: Payload.exe, 00000008.00000002.2579822024.00007FFB0C461000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: Payload.exe, 00000011.00000003.1521477292.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1520542882.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1528209831.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1534637312.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1523190235.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescrypto\engine\tb_digest.cENGINE_get_digestcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: Payload.exe, 00000008.00000002.2567377200.00007FFB0AE9A000.00000002.00000001.01000000.00000036.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1534844534.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1522273413.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: Payload.exe, 00000008.00000002.2567377200.00007FFB0AE9A000.00000002.00000001.01000000.00000036.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Payload.exe, 00000008.00000002.2586691438.00007FFB1D345000.00000002.00000001.01000000.00000012.sdmp, Payload.exe, 00000011.00000003.1515059516.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1534492530.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: Payload.exe, 00000008.00000002.2582405838.00007FFB18B80000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1534637312.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1524126722.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1536150494.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1520245423.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1529285605.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1523845563.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Payload.exe, 00000008.00000002.2580291866.00007FFB167AC000.00000002.00000001.01000000.0000000C.sdmp, Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1525585820.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1521263500.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1534492530.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1536150494.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pywintypes.pdb** source: Payload.exe, 00000008.00000002.2574029356.00007FFB0BD60000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1522056736.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1528209831.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: Payload.exe, 00000011.00000003.1527988559.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1523845563.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pythoncom.pdb source: Payload.exe, 00000008.00000002.2573645339.00007FFB0BCFC000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: Payload.exe, 00000008.00000002.2586406348.00007FFB1CD26000.00000002.00000001.01000000.00000019.sdmp, Payload.exe, 00000011.00000003.1517294731.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1535485925.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Payload.exe, 00000008.00000002.2582941373.00007FFB1AB11000.00000002.00000001.01000000.00000007.sdmp, Payload.exe, 00000011.00000003.1514810535.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: Payload.exe, 00000011.00000003.1522902662.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1526919786.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1536045528.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: Payload.exe, 00000011.00000003.1524827877.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1520542882.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1522624454.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: Payload.exe, 00000011.00000003.1522902662.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: Payload.exe, 00000008.00000002.2587231264.00007FFB1D893000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1523524331.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1535485925.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1525976493.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1520245423.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1535758153.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1536245243.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: Payload.exe, 00000008.00000002.2564873676.00007FFB0A802000.00000002.00000001.01000000.0000003E.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1527613096.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1522448538.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pywintypes.pdb source: Payload.exe, 00000008.00000002.2574029356.00007FFB0BD60000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1525976493.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: Payload.exe, 00000008.00000002.2572843995.00007FFB0BBF5000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1534844534.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1536045528.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: Payload.exe, 00000008.00000002.2573110108.00007FFB0BC4D000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\win32api.pdb source: Payload.exe, 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1534939724.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1523190235.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: Payload.exe, 00000008.00000002.2572031863.00007FFB0BA12000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1535938916.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Payload.exe, 00000008.00000002.2582941373.00007FFB1AB11000.00000002.00000001.01000000.00000007.sdmp, Payload.exe, 00000011.00000003.1514810535.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: Payload.exe, 00000011.00000003.1516984010.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1530656784.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1527613096.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1522273413.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1535122836.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1522056736.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Payload.exe, 00000008.00000002.2570926051.00007FFB0B637000.00000002.00000001.01000000.0000001B.sdmp, Payload.exe, 00000011.00000003.1516620675.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1520906605.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1524126722.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: Payload.exe, 00000008.00000002.2571115541.00007FFB0B657000.00000002.00000001.01000000.00000018.sdmp, Payload.exe, 00000011.00000003.1515234510.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1521263500.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: Payload.exe, 00000011.00000003.1527988559.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: Payload.exe, 00000008.00000002.2574311367.00007FFB0BDA2000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1535758153.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1534133545.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1530656784.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1520339980.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Payload.exe, 00000008.00000002.2581443924.00007FFB174CD000.00000002.00000001.01000000.0000000B.sdmp, Payload.exe, 00000011.00000003.1515744136.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1520906605.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: Payload.exe, 00000008.00000002.2579822024.00007FFB0C461000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Payload.exe, 00000008.00000002.2574578235.00007FFB0BDC8000.00000002.00000001.01000000.0000000D.sdmp, Payload.exe, 00000011.00000003.1517669281.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptography_rust.pdb source: Payload.exe, 00000008.00000002.2567377200.00007FFB0AE9A000.00000002.00000001.01000000.00000036.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Payload.exe, 00000008.00000002.2586691438.00007FFB1D345000.00000002.00000001.01000000.00000012.sdmp, Payload.exe, 00000011.00000003.1515059516.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1534133545.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1535938916.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Payload.exe, 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmp, Payload.exe, 00000012.00000002.2570327513.00007FFB099B0000.00000002.00000001.01000000.0000006D.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: Payload.exe, 00000008.00000002.2572031863.00007FFB0BA12000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: crypto\bn\bn_ctx.cBN_CTX_startBN_CTX_getossl_ec_group_new_excrypto\ec\ec_lib.cEC_GROUP_copyEC_GROUP_set_generatorEC_GROUP_set_curveEC_GROUP_get_curveEC_GROUP_get_degreeEC_GROUP_check_discriminantEC_POINT_newEC_POINT_copyEC_POINT_set_to_infinityEC_POINT_set_Jprojective_coordinates_GFpEC_POINT_set_affine_coordinatesEC_POINT_get_affine_coordinatesEC_POINT_addEC_POINT_dblEC_POINT_invertEC_POINT_is_at_infinityEC_POINT_is_on_curveEC_POINT_cmpEC_POINT_mulEC_GROUP_get_trinomial_basisEC_GROUP_get_pentanomial_basisgroup_new_from_nameossl_ec_group_set_paramsencodingdecoded-from-explicitEC_GROUP_new_from_paramsgeneratorcrypto\evp\digest.cevp_md_ctx_new_exevp_md_ctx_free_algctxevp_md_init_internalEVP_DigestUpdatesizeEVP_DigestFinal_exassertion failed: mdsize <= EVP_MAX_MD_SIZEEVP_DigestFinalXOFxoflenEVP_MD_CTX_copy_exEVP_MD_CTX_ctrlmicalgssl3-msblocksizexofalgid-absentevp_md_from_algorithmupdatecrypto\evp\m_sigver.cUNDEFdo_sigver_initEVP_DigestSignUpdateEVP_DigestVerifyUpdateEVP_DigestSignFinalEVP_DigestSignEVP_DigestVerifyFinalEVP_DigestVerifycompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.3.2built on: Fri Oct 18 00:15:00 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: Payload.exe, 00000008.00000002.2567377200.00007FFB0AE9A000.00000002.00000001.01000000.00000036.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: Payload.exe, 00000011.00000003.1521477292.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1525585820.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1520339980.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1533971013.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\win32api.pdb!! source: Payload.exe, 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: Payload.exe, 00000008.00000002.2569256358.00007FFB0B20E000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1535122836.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1522448538.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: Payload.exe, 00000008.00000002.2575133612.00007FFB0C15B000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1534939724.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1536245243.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1529285605.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1526919786.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: Payload.exe, 00000008.00000002.2572843995.00007FFB0BBF5000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: Payload.exe, 00000011.00000003.1521838312.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: Payload.exe, 00000008.00000002.2580291866.00007FFB167AC000.00000002.00000001.01000000.0000000C.sdmp, Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1522624454.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Payload.exe, 00000008.00000002.2586956857.00007FFB1D5B3000.00000002.00000001.01000000.00000010.sdmp, Payload.exe, 00000011.00000003.1517465555.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1523524331.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1535857657.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pythoncom.pdb}},GCTL source: Payload.exe, 00000008.00000002.2573645339.00007FFB0BCFC000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: Payload.exe, 00000008.00000002.2588569490.00007FFB1E67E000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: Payload.exe, 00000011.00000003.1524827877.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: Payload.exe, 00000008.00000002.2540131598.00000208142F0000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1533971013.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698819280 FindFirstFileExW,FindClose,	4_2_00007FF698819280
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF6988183C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	4_2_00007FF6988183C0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698831874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	4_2_00007FF698831874
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698819280 FindFirstFileExW,FindClose,	8_2_00007FF698819280
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF6988183C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00007FF6988183C0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698831874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_00007FF698831874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB49280 FindFirstFileExW,FindClose,	17_2_00007FF74DB49280
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB61874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	17_2_00007FF74DB61874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB483C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	17_2_00007FF74DB483C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB49280 FindFirstFileExW,FindClose,	18_2_00007FF74DB49280
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB61874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	18_2_00007FF74DB61874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB483C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	18_2_00007FF74DB483C0

Source: C:\Users\user\Desktop\Payload.exe

Code function: 8_2_00007FFB0B082E70 memset,PyList_New,SetErrorMode,PyArg_ParseTuple,PyObject_IsTrue,PyEval_SaveThread,GetLogicalDriveStringsA,PyEval_RestoreThread,PyErr_SetFromWindowsErr,SetErrorMode,PyEval_SaveThread,GetDriveTypeA,PyEval_RestoreThread,GetVolumeInformationA,strcat_s,SetLastError,strcat_s,strcat_s,strcat_s,FindFirstVolumeMountPointA,strcpy_s,strcat_s,Py_BuildValue,PyList_Append,_Py_Dealloc,FindNextVolumeMountPointA,FindVolumeMountPointClose,strcat_s,strcat_s,Py_BuildValue,PyList_Append,_Py_Dealloc,strchr,SetErrorMode,FindVolumeMountPointClose,SetErrorMode,_Py_Dealloc,_Py_Dealloc,

8_2_00007FFB0B082E70

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.7:49737
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.7:51529

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: Payload.exe, 00000008.00000002.2546049330.0000020816610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: Payload.exe, 00000008.00000002.2570352526.00007FFB0B3F5000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://.css
Source: Payload.exe, 00000008.00000002.2570352526.00007FFB0B3F5000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://.jpg
Source: Payload.exe, 00000008.00000002.2545590625.0000020816200000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/vcpython27
Source: Payload.exe, 00000008.00000002.2544318194.0000020815BEB000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544318194.0000020815D3C000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2549029984.0000020817263000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2548486961.0000020817003000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2550137923.0000020817296000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2549029984.00000208171C7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542221738.0000020815078000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543636227.0000020815A14000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2549029984.0000020817159000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2548606398.000002298B677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: Payload.exe, 00000008.00000002.2546167369.0000020816760000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2546010178.000002298AD40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bugs.python.org/issue23606)
Source: Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: Payload.exe, 00000011.00000003.1517669281.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516375959.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517913162.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1543133337.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516984010.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516620675.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541754025.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515744136.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC62000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541587548.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516117123.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515234510.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC5D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517294731.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517465555.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518356296.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Payload.exe, 00000011.00000003.1517669281.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516375959.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517913162.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1543133337.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516984010.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516620675.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541754025.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515744136.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541587548.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516117123.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515234510.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC5D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517294731.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517465555.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518356296.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Payload.exe, 00000011.00000003.1517669281.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516375959.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517913162.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1543133337.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516984010.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516620675.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541754025.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515744136.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541587548.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516117123.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515234510.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC5D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517294731.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517465555.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518356296.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Payload.exe, 00000011.00000003.1517669281.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516375959.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517913162.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1543133337.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516984010.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516620675.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541754025.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515744136.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC62000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541587548.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516117123.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515234510.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC5D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517294731.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517465555.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518356296.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Payload.exe, 00000008.00000002.2546167369.0000020816760000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2546010178.000002298AD40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cffi.readthedocs.io/en/latest/cdef.html#ffi-cdef-limitations
Source: Payload.exe, 00000008.00000003.1338085505.0000020814E78000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1335612152.0000020814EB4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1336282130.00000208149DA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543636227.0000020815A66000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1337272875.0000020814EF5000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542221738.0000020814DB0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1336020792.0000020814EEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: Payload.exe, 00000008.00000003.1335659787.0000020814E68000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2541346923.00000208147D4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1336163372.0000020814E77000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1335569198.0000020814EF7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000012.00000003.1579160896.000002298950B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: Payload.exe, 00000008.00000002.2544318194.0000020815B9E000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: Payload.exe, 00000008.00000002.2539508952.0000020812AAA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2541700662.00000208149BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Payload.exe, 00000008.00000002.2544318194.0000020815BEB000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543636227.0000020815ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: Payload.exe, 00000008.00000002.2544318194.0000020815B9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl)
Source: Payload.exe, 00000008.00000002.2542221738.0000020814DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: Payload.exe, 00000008.00000002.2543636227.0000020815ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: Payload.exe, 00000008.00000002.2542221738.0000020814DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: Payload.exe, 00000008.00000002.2543636227.0000020815ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: Payload.exe, 00000008.00000002.2542221738.0000020814DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: Payload.exe, 00000008.00000002.2541700662.00000208149BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: Payload.exe, 00000011.00000003.1517669281.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516375959.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517913162.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1543133337.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516984010.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516620675.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541754025.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515744136.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC62000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541587548.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516117123.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515234510.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC5D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517294731.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517465555.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518356296.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Payload.exe, 00000011.00000003.1517669281.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516375959.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517913162.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1543133337.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516984010.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516620675.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541754025.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515744136.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541587548.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516117123.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515234510.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC5D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517294731.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517465555.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518356296.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Payload.exe, 00000011.00000003.1517669281.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516375959.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517913162.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1543133337.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516984010.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516620675.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541754025.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515744136.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541587548.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516117123.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515234510.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC5D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517294731.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517465555.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518356296.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Payload.exe, 00000011.00000003.1518356296.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Payload.exe, 00000011.00000003.1517669281.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516375959.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517913162.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1543133337.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516984010.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516620675.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541754025.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515744136.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541587548.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516117123.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515234510.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC5D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517294731.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517465555.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518356296.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Payload.exe, 00000008.00000002.2544318194.0000020815BEB000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544318194.0000020815D3C000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2549029984.0000020817159000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2548606398.000002298B677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2549029984.00000208171C7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542221738.0000020815078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2549029984.0000020817263000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2548486961.0000020817003000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: Payload.exe, 00000008.00000002.2544318194.0000020815BEB000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2546167369.0000020816760000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2548486961.0000020817003000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2546471032.0000020816860000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2551122266.0000020818770000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2546049330.0000020816610000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2551604824.0000020818994000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2549029984.00000208171C7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2551604824.0000020818970000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2546731380.00000208169B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542221738.0000020815078000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2549029984.0000020817159000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2546351538.000002298AF80000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2546010178.000002298AD40000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2548606398.000002298B677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: Payload.exe, 00000008.00000002.2546049330.0000020816610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: Payload.exe, 00000008.00000002.2545795180.0000020816400000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: Payload.exe, 00000008.00000002.2545795180.0000020816400000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: Payload.exe, 00000008.00000002.2545691339.0000020816300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: Payload.exe, 00000008.00000002.2542922126.00000208152B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543130034.00000208154D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: Payload.exe, 00000008.00000002.2543636227.000002081597E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/unittest.html
Source: Payload.exe, 00000008.00000002.2542922126.00000208152B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://github.com/ActiveState/appdirs
Source: Payload.exe, 00000008.00000002.2546925831.0000020816AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl.
Source: Payload.exe, 00000008.00000002.2543636227.0000020815A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: Payload.exe, 00000008.00000002.2543636227.0000020815ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: Payload.exe, 00000008.00000002.2542221738.0000020814F97000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543636227.0000020815A66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: Payload.exe, 00000008.00000002.2570352526.00007FFB0B3F5000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: Payload.exe, 00000008.00000002.2544774972.0000020815F34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/post
Source: Payload.exe, 00000008.00000002.2546731380.00000208169B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2546351538.000002298AF80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: Payload.exe, 00000011.00000003.1517669281.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516375959.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517913162.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1543133337.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516984010.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516620675.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541754025.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515744136.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541587548.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516117123.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515234510.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC5D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517294731.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517465555.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518356296.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Payload.exe, 00000011.00000003.1517669281.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516375959.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517913162.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1543133337.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516984010.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516620675.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541754025.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515744136.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC62000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541587548.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516117123.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515234510.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC5D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517294731.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517465555.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518356296.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Payload.exe, 00000011.00000003.1517669281.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516375959.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517913162.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1543133337.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516984010.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516620675.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541754025.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515744136.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC62000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541587548.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516117123.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515234510.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC5D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517294731.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517465555.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518356296.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Payload.exe, 00000011.00000003.1517669281.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516375959.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517913162.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1543133337.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516984010.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516620675.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541754025.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515744136.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541587548.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516117123.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515234510.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC5D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517294731.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517465555.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518356296.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: Payload.exe, 00000008.00000002.2542922126.00000208152B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542806128.00000208151B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://opensource.org/licenses/BSD-3-Clause
Source: Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://python-lz4.readthedocs.io/en/latest/
Source: Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://python-lz4.readthedocs.io/en/stable/
Source: Payload.exe, 00000008.00000002.2547500969.0000020816DD2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://python.org
Source: Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://python.org/
Source: Payload.exe, 00000008.00000002.2547500969.0000020816DD2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://python.org:80
Source: Payload.exe, 00000008.00000002.2544318194.0000020815BEB000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543636227.0000020815A66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: Payload.exe, 00000008.00000002.2542221738.0000020815078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/d
Source: Payload.exe, 00000008.00000002.2543419271.0000020815700000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/questions/19622133/
Source: Payload.exe, 00000008.00000002.2551278709.0000020818870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://timgolden.me.uk/python/wmi.html
Source: Payload.exe, 00000008.00000002.2544318194.0000020815D3C000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2548486961.0000020817003000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2549029984.000002081721A000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542221738.0000020814DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: Payload.exe, 00000008.00000002.2546925831.0000020816AF0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2551604824.0000020818970000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2546731380.00000208169B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2551278709.0000020818870000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2546351538.000002298AF80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2549029984.000002081721A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: Payload.exe, 00000008.00000002.2546049330.0000020816610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: Payload.exe, 00000008.00000002.2544318194.0000020815BEB000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2548486961.0000020817003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: Payload.exe, 00000008.00000003.1334338316.0000020814EB4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542806128.00000208151B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334478633.0000020814EBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543636227.0000020815AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: Payload.exe, 00000008.00000002.2543636227.0000020815AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/e
Source: Payload.exe, 00000008.00000003.1334338316.0000020814EB4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334478633.0000020814EBA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334414261.000002081488C000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334519553.0000020814EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: Payload.exe, 00000008.00000002.2544318194.0000020815BEB000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2550137923.0000020817296000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543636227.0000020815A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: Payload.exe, 00000008.00000002.2546471032.0000020816860000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dabeaz.com/ply)
Source: Payload.exe, 00000011.00000003.1517669281.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516375959.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517913162.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1543133337.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516984010.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516620675.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541754025.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515744136.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1541587548.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516117123.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1515234510.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1540289691.000002BE1CC5D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517294731.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1517465555.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1518356296.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Payload.exe, 00000008.00000002.2541700662.0000020814A51000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: Payload.exe, 00000008.00000002.2541700662.00000208149BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: Payload.exe, 00000008.00000003.1334338316.0000020814EB4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334478633.0000020814EBA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334519553.0000020814EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: Payload.exe, 00000008.00000002.2546925831.0000020816AF0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2549029984.0000020817159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: Payload.exe, 00000008.00000003.1334338316.0000020814EB4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334478633.0000020814EBA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334414261.000002081488C000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334519553.0000020814EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: Payload.exe, 00000008.00000002.2544318194.0000020815BEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: Payload.exe, 00000008.00000002.2544318194.0000020815D3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: Payload.exe, 00000008.00000002.2544318194.0000020815BEB000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2548486961.0000020817003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: Payload.exe, 00000008.00000002.2549029984.00000208171C7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542221738.0000020815078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: Payload.exe, 00000008.00000002.2543636227.0000020815A66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: Payload.exe, 00000008.00000002.2544318194.0000020815BEB000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://127.0.0.1:8443
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aliexpress.com)
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com)
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Payload.exe, 00000008.00000002.2552484640.0000020818B90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Payload.exe, 00000008.00000002.2552484640.0000020818B90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/2
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.comot-info
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://binance.com)
Source: Payload.exe, 00000008.00000002.2543636227.0000020815A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brew.sh
Source: Payload.exe, 00000008.00000002.2547500969.0000020816DD2000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue37179
Source: Payload.exe, 00000008.00000002.2543130034.00000208154D0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543419271.0000020815700000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue44497.
Source: Payload.exe, 00000008.00000002.2550815163.0000020818570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1207404349177724988/1247483882857828352/Picsart_24-06-04_12-3
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: Payload.exe, 00000008.00000002.2585826281.00007FFB1BACB000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: https://cffi.readthedocs.io/en/latest/using.html#callbacks
Source: Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://codecov.io/gh/python-lz4/python-lz4
Source: Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://codecov.io/gh/python-lz4/python-lz4/branch/codecov/graph/badge.svg
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://coinbase.com)
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crunchyroll.com)
Source: Payload.exe, 00000011.00000003.1537579625.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io
Source: Payload.exe, 00000011.00000003.1537579625.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/
Source: Payload.exe, 00000011.00000003.1537579625.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/changelog/
Source: Payload.exe, 00000008.00000002.2567377200.00007FFB0AE9A000.00000002.00000001.01000000.00000036.sdmp	String found in binary or memory: https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file
Source: Payload.exe, 00000008.00000002.2547252942.0000020816CD0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2546831931.000002298B2A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/hazmat/
Source: Payload.exe, 00000011.00000003.1537579625.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/installation/
Source: Payload.exe, 00000011.00000003.1537579625.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/security/
Source: Payload.exe, 00000008.00000002.2544318194.0000020815BEB000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2
Source: Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.3
Source: Payload.exe, 00000008.00000002.2547252942.0000020816CD0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2546925831.0000020816AF0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2546831931.000002298B2A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com)
Source: Payload.exe, 00000008.00000002.2551122266.0000020818770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/guilds/
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/users/
Source: Payload.exe, 00000008.00000002.2550815163.0000020818570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v
Source: Payload.exe, 00000008.00000002.2550815163.0000020818570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v10
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v6/users/
Source: Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2551278709.0000020818870000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542221738.0000020814DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/
Source: Payload.exe, 00000008.00000002.2545795180.0000020816400000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1297535549556396133/ve261trT7MNuWrlMT1bnnjDbtyFOhfHK7UO0xzUt7Hpz9EX
Source: Payload.exe, 00000008.00000002.2550962626.0000020818670000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/channels/
Source: Payload.exe, 00000008.00000002.2550815163.0000020818570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/developers/applications/
Source: Payload.exe, 00000008.00000002.2550815163.0000020818570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/events/
Source: Payload.exe, 00000008.00000002.2550661006.0000020818120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/oauth2/authorize?client_id=
Source: Payload.exe, 00000008.00000002.2550815163.0000020818570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.gg
Source: Payload.exe, 00000008.00000002.2551278709.0000020818870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.new/
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v6/users/
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://disney.com)
Source: Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2545383208.0000020816078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.aiohttp.org/en/stable/client_advanced.html#client-tracing
Source: Payload.exe, 00000008.00000002.2547500969.0000020816DD2000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.aiohttp.org/en/stable/client_advanced.html#proxy-support
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-profile/customizi
Source: Payload.exe, 00000008.00000003.1335718562.0000020814A62000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1336282130.0000020814A62000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2541700662.0000020814A51000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334911075.0000020814A62000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1338593436.0000020814A51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: Payload.exe, 00000008.00000002.2543636227.0000020815ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/howto/mro.html
Source: Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2550348146.0000020817EA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/asyncio-eventloop.html
Source: Payload.exe, 00000008.00000002.2540459645.0000020814370000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: Payload.exe, 00000008.00000002.2541048725.00000208145B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: Payload.exe, 00000008.00000002.2540459645.0000020814370000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: Payload.exe, 00000008.00000002.2540459645.00000208143F8000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: Payload.exe, 00000008.00000002.2540459645.00000208143F8000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: Payload.exe, 00000008.00000002.2541048725.00000208145B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: Payload.exe, 00000008.00000002.2540459645.0000020814370000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: Payload.exe, 00000008.00000002.2541048725.00000208145B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: Payload.exe, 00000008.00000003.1328832680.0000020812B10000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1330982188.0000020812B0B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2539508952.0000020812AAA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: Payload.exe, 00000008.00000003.1335718562.0000020814A62000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334122952.0000020814AA1000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1336282130.0000020814A62000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2541700662.0000020814A51000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334911075.0000020814A62000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1332958855.0000020814A62000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1338593436.0000020814A51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
Source: Payload.exe, 00000008.00000002.2542221738.0000020814F97000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2541700662.0000020814A51000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1338593436.0000020814A51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html
Source: Payload.exe, 00000008.00000002.2542221738.0000020814F97000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1338085505.0000020814F97000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2541700662.0000020814A51000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1338593436.0000020814A51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html#pprint.pprint
Source: Payload.exe, 00000008.00000003.1341643779.00000208150F9000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542221738.0000020814DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html
Source: Payload.exe, 00000008.00000002.2543028313.00000208153C0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543419271.0000020815700000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1341643779.00000208150F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html#re.sub
Source: Payload.exe, 00000008.00000002.2548486961.0000020817003000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2548486961.0000020817111000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.rs/regex/latest/regex/#syntax
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ebay.com)
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://epicgames.com)
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://expressvpn.com)
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://file.io
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filepreviews.io/
Source: Payload.exe, 00000008.00000002.2545795180.0000020816400000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: Payload.exe, 00000008.00000002.2543028313.00000208153C0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543530378.0000020815800000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: Payload.exe, 00000008.00000002.2544318194.0000020815B75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: Payload.exe, 00000008.00000002.2550815163.0000020818570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Rapptz/discord.py
Source: Payload.exe, 00000008.00000002.2546471032.0000020816860000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2546731380.00000208169B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2546351538.000002298AF80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ThomasHabets/arping
Source: Payload.exe, 00000008.00000003.1328832680.0000020812B10000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2541346923.00000208147B0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1330982188.0000020812B0B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2539508952.0000020812AAA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: Payload.exe, 00000008.00000002.2547500969.0000020816DD2000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/aio-libs/aiohttp/discussions/6044
Source: Payload.exe, 00000008.00000002.2546167369.0000020816760000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2546925831.0000020816AF0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2546010178.000002298AD40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/borisbabic/browser_cookie3/issues/new
Source: Payload.exe, 00000008.00000002.2548486961.0000020817003000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542221738.0000020815078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/freyacodes/Lavalink
Source: Payload.exe, 00000008.00000002.2546925831.0000020816AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: Payload.exe, 00000008.00000002.2542922126.00000208152B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543530378.0000020815800000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lz4/lz4/blob/dev/doc/lz4_Block_format.md
Source: Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lz4/lz4/blob/master/doc/lz4_Frame_format.md
Source: Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lz4/lz4/blob/master/examples/streaming_api_basics.md
Source: Payload.exe	String found in binary or memory: https://github.com/mhammond/pywin32
Source: Payload.exe, 00000008.00000002.2546167369.0000020816760000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2546010178.000002298AD40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: Payload.exe, 00000011.00000003.1537579625.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography
Source: Payload.exe, 00000011.00000003.1537579625.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/
Source: Payload.exe, 00000011.00000003.1537579625.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
Source: Payload.exe, 00000011.00000003.1537579625.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: Payload.exe, 00000008.00000002.2567377200.00007FFB0AE9A000.00000002.00000001.01000000.00000036.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/8996
Source: Payload.exe, 00000008.00000002.2567377200.00007FFB0AE9A000.00000002.00000001.01000000.00000036.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/9253
Source: Payload.exe, 00000011.00000003.1537579625.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
Source: Payload.exe, 00000008.00000002.2543028313.00000208153C0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543419271.0000020815700000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging
Source: Payload.exe, 00000008.00000002.2543028313.00000208153C0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543419271.0000020815700000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packagingI70282
Source: Payload.exe, 00000008.00000002.2543028313.00000208153C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
Source: Payload.exe, 00000008.00000002.2542114919.0000020814CB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
Source: Payload.exe, 00000008.00000002.2542221738.0000020814DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyparsing/pyparsing/wiki
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs)
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/blob/main/.github/CONTRIBUTING.md)
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1328)
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1329)
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1330)
Source: Payload.exe, 00000008.00000002.2543636227.0000020815ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/136
Source: Payload.exe, 00000008.00000002.2541700662.0000020814A51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/251
Source: Payload.exe, 00000008.00000002.2543636227.0000020815ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/428
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/wiki/Extensions-to-attrs)
Source: Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-lz4/python-lz4
Source: Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-lz4/python-lz4/actions/workflows/build_dist.yml
Source: Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-lz4/python-lz4/actions/workflows/build_dist.yml/badge.svg
Source: Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-lz4/python-lz4/issues
Source: Payload.exe, 00000008.00000002.2540459645.00000208143F8000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: Payload.exe, 00000008.00000003.1328832680.0000020812B10000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2541346923.00000208147B0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1330982188.0000020812B0B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2539508952.0000020812AAA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: Payload.exe, 00000008.00000002.2541346923.00000208147D4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1332066444.0000020814B35000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1332165732.0000020814AB4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1332200340.0000020814B35000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1332234691.0000020814AC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: Payload.exe, 00000008.00000002.2547500969.0000020816DD2000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/pull/28073
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/hynek
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/hynek).
Source: Payload.exe, 00000008.00000003.1328832680.0000020812B10000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2541346923.00000208147B0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1330982188.0000020812B0B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2539508952.0000020812AAA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: Payload.exe, 00000008.00000002.2545795180.0000020816400000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: Payload.exe, 00000008.00000002.2542221738.0000020814F97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/29207
Source: Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920R
Source: Payload.exe, 00000008.00000002.2546049330.0000020816610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: Payload.exe, 00000008.00000002.2546049330.0000020816610000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290p2
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gmail.com)
Source: Payload.exe, 00000008.00000002.2544318194.0000020815B75000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543636227.000002081597E000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542221738.0000020814DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: Payload.exe, 00000008.00000002.2543636227.000002081597E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: Payload.exe, 00000008.00000002.2543636227.0000020815AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hbo.com)
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hotmail.com)
Source: Payload.exe, 00000008.00000002.2542221738.0000020815078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: Payload.exe, 00000008.00000002.2542221738.0000020814DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: Payload.exe, 00000012.00000002.2546010178.000002298AD40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: Payload.exe, 00000008.00000002.2543636227.0000020815A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hynek.me/articles/import-attrs/)
Source: Payload.exe, 00000008.00000002.2550962626.0000020818670000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://i.scdn.co/image/
Source: Payload.exe, 00000011.00000003.1537579625.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
Source: Payload.exe, 00000008.00000002.2542806128.00000208151B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://instagram.com)
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: Payload.exe, 00000008.00000002.2543636227.000002081597E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klaviyo.com/
Source: Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lz4.github.io/lz4/
Source: Payload.exe, 00000008.00000002.2544318194.0000020815BEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: Payload.exe, 00000011.00000003.1537579625.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
Source: Payload.exe, 00000008.00000002.2550962626.0000020818670000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://media.discordapp.net/
Source: Payload.exe, 00000008.00000002.2550962626.0000020818670000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://media.discordapp.net/stickers/
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://minecraft.net)
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://netflix.com)
Source: Payload.exe, 00000008.00000002.2545437889.00000208160EB000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2541700662.0000020814ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: Payload.exe, 00000008.00000002.2550962626.0000020818670000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://open.spotify.com/track/
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://origin.com)
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com)
Source: Payload.exe, 00000008.00000002.2546471032.0000020816860000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2546731380.00000208169B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2546351538.000002298AF80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packages.debian.org/sid/iputils-arping
Source: Payload.exe, 00000008.00000002.2542751300.0000020815176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
Source: Payload.exe, 00000008.00000002.2543130034.00000208154D0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543530378.0000020815800000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://paypal.com)
Source: Payload.exe, 00000008.00000003.1331719367.0000020814A62000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1331466736.0000020814A62000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2541598656.00000208148B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: Payload.exe, 00000008.00000002.2575133612.00007FFB0C15B000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0649/)
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0749/)-implementing
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://playstation.com)
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pornhub.com)
Source: Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544774972.0000020815F34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://projectfluent.org
Source: Payload.exe, 00000008.00000002.2547500969.0000020816DD2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pyopenssl.org/
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/attrs/)
Source: Payload.exe, 00000011.00000003.1537579625.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/cryptography/
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/blxsi/asdasdas/main/inject.js
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/docs/_static/attrs_logo.svg
Source: Payload.exe, 00000011.00000003.1537579625.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
Source: Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://readthedocs.org/projects/python-lz4/
Source: Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://readthedocs.org/projects/python-lz4/badge/?version=stable
Source: Payload.exe, 00000008.00000002.2543028313.00000208153C0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543530378.0000020815800000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: Payload.exe, 00000008.00000002.2546167369.0000020816760000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543636227.0000020815A14000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2546010178.000002298AD40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: Payload.exe, 00000012.00000002.2546010178.000002298AD40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io02
Source: Payload.exe, 00000008.00000002.2546167369.0000020816760000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io0r
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://riotgames.com)
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://roblox.com)
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sellix.io)
Source: Payload.exe, 00000008.00000003.1333976365.000002081489B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1336104224.0000020814ED6000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1338085505.0000020814E78000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334338316.0000020814EB4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334786467.0000020814EB4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1335612152.0000020814EB4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1333903791.0000020814E97000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334478633.0000020814EBA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334037061.0000020814B49000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1335352584.0000020814EC1000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1335385566.0000020814ED2000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542221738.0000020814DB0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334519553.0000020814EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: Payload.exe, 00000008.00000002.2543130034.00000208154D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spotify.com)
Source: Payload.exe, 00000008.00000003.1338085505.0000020814E78000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2541700662.0000020814ACD000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542221738.000002081501C000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1341643779.00000208150F9000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542221738.0000020814DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular
Source: Payload.exe, 00000008.00000002.2546925831.0000020816AF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/tagged/python-attrs)
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steam.com)
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://superfurrycdn.nl/copy/
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://telegram.com)
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek).
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tiktok.com)
Source: Payload.exe, 00000008.00000002.2541700662.00000208149BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2549029984.00000208171C7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542221738.0000020815078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: Payload.exe, 00000008.00000002.2544318194.0000020815BEB000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2550137923.0000020817296000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543636227.0000020815A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitch.com)
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com)
Source: Payload.exe, 00000008.00000002.2544318194.0000020815B75000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542221738.0000020814DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://uber.com)
Source: Payload.exe, 00000008.00000002.2542806128.00000208151B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543419271.0000020815700000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://upload.pypi.org/legacy/
Source: Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: Payload.exe, 00000008.00000002.2541346923.00000208147D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wiki.debian.org/XDGBaseDirectorySpecification#state
Source: Payload.exe, 00000011.00000003.1537899190.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/
Source: Payload.exe, 00000011.00000003.1537969005.000002BE1CC65000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1537899190.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1537899190.000002BE1CC64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/)
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/FilePreviews.svg
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Klaviyo.svg
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Tidelift.svg
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Variomedia.svg
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/latest/names.html)
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/changelog.html
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/changelog.html)
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/comparison.html#customization)
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization)
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/why.html#data-classes)
Source: Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.github.com/python-lz4/python-lz4
Source: Payload.exe, 00000008.00000002.2544318194.0000020815D3C000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: Payload.exe, 00000008.00000002.2542221738.0000020815078000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.manpagez.com/man/8/networksetup/
Source: Payload.exe, 00000008.00000002.2572566768.00007FFB0BB53000.00000002.00000001.01000000.00000017.sdmp, Payload.exe, 00000008.00000002.2572914355.00007FFB0BC30000.00000002.00000001.01000000.00000016.sdmp, Payload.exe, 00000011.00000003.1541754025.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: Payload.exe, 00000008.00000002.2547252942.0000020816CD0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2546831931.000002298B2A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_flags.html
Source: Payload.exe, 00000008.00000002.2546925831.0000020816AF0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000003.1620776899.000002298A677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/docs/manmaster/man3/X509_verify_cert_error_string.html#ERROR-CODES
Source: Payload.exe, 00000008.00000002.2543636227.0000020815ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/docs/manmaster/man5/
Source: Payload.exe, 00000008.00000002.2543636227.0000020815A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: Payload.exe, 00000008.00000002.2544318194.0000020815BEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: Payload.exe, 00000008.00000003.1320286905.000002081485A000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1323143813.000002081485A000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1319971745.0000020814843000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2540459645.0000020814370000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1323056909.0000020814843000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1319971745.0000020814858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: Payload.exe, 00000008.00000002.2575548912.00007FFB0C1F8000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: Payload.exe, 00000008.00000002.2542221738.0000020815078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.variomedia.de/
Source: Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: Payload.exe, 00000008.00000002.2544318194.0000020815B9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xbox.com)
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com)
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com)?i
Source: Payload.exe, 00000008.00000002.2543636227.000002081597E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com)

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51424
Source: unknown	Network traffic detected: HTTP traffic on port 51424 -> 443

Source: C:\Users\user\Desktop\Payload.exe

Code function: 8_2_00007FFB0BC74EB0 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,GetKeyboardState,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,PyBytes_FromStringAndSize,

8_2_00007FFB0BC74EB0

Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B081E90 PyList_New,GetActiveProcessorCount,PyErr_SetFromWindowsErr,_Py_Dealloc,free,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,PyExc_RuntimeError,PyErr_SetString,malloc,PyErr_NoMemory,NtQuerySystemInformation,Py_BuildValue,PyList_Append,_Py_Dealloc,free,_Py_Dealloc,	8_2_00007FFB0B081E90
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B084AB0 PyArg_ParseTuple,OpenProcess,GetLastError,GetProcessHeap,HeapAlloc,NtQueryVirtualMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQueryVirtualMemory,PyExc_RuntimeError,PyErr_SetString,CloseHandle,PyErr_Clear,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,Py_BuildValue,PyErr_NoMemory,CloseHandle,	8_2_00007FFB0B084AB0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B0846C0 PyArg_ParseTuple,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,Py_BuildValue,PyUnicode_FromWideChar,GetProcessHeap,HeapFree,PyErr_NoMemory,	8_2_00007FFB0B0846C0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B086AE0 OpenProcess,GetLastError,NtQueryInformationProcess,RtlNtStatusToDosErrorNoTeb,PyErr_SetFromWindowsErrWithFilename,CloseHandle,ReadProcessMemory,GetLastError,CloseHandle,ReadProcessMemory,NtQueryInformationProcess,CloseHandle,ReadProcessMemory,ReadProcessMemory,VirtualQueryEx,GetLastError,PyErr_SetFromWindowsErrWithFilename,CloseHandle,calloc,PyErr_NoMemory,CloseHandle,ReadProcessMemory,GetLastError,CloseHandle,free,CloseHandle,	8_2_00007FFB0B086AE0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B085850 PyArg_ParseTuple,OpenProcess,GetLastError,NtSetInformationProcess,CloseHandle,_Py_NoneStruct,_Py_NoneStruct,	8_2_00007FFB0B085850
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B084D40 PyArg_ParseTuple,OpenProcess,GetLastError,PyObject_IsTrue,NtSuspendProcess,NtResumeProcess,CloseHandle,_Py_NoneStruct,_Py_NoneStruct,	8_2_00007FFB0B084D40
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B086640 PyList_New,EnterCriticalSection,GetProcessHeap,HeapAlloc,PyErr_NoMemory,_Py_Dealloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,PyExc_RuntimeError,PyErr_SetString,GetCurrentProcess,DuplicateHandle,PyUnicode_FromWideChar,PyList_Append,_Py_Dealloc,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,_Py_Dealloc,GetProcessHeap,HeapFree,LeaveCriticalSection,	8_2_00007FFB0B086640
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B085760 PyArg_ParseTuple,OpenProcess,GetLastError,NtQueryInformationProcess,CloseHandle,Py_BuildValue,	8_2_00007FFB0B085760
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B086290 GetProcessHeap,HeapAlloc,GetFileType,SetLastError,NtQueryObject,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,PyErr_NoMemory,GetProcessHeap,HeapFree,	8_2_00007FFB0B086290
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B082480 GetActiveProcessorCount,PyErr_SetFromWindowsErr,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,PyExc_RuntimeError,PyErr_SetString,malloc,PyErr_NoMemory,NtQuerySystemInformation,free,malloc,PyErr_NoMemory,NtQuerySystemInformation,malloc,PyErr_NoMemory,NtQuerySystemInformation,free,free,free,free,free,Py_BuildValue,	8_2_00007FFB0B082480
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B087480 malloc,NtQuerySystemInformation,free,malloc,PyErr_NoMemory,free,free,	8_2_00007FFB0B087480
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B086E80 PyExc_RuntimeError,PyErr_SetString,OpenProcess,GetLastError,NtQueryInformationProcess,CloseHandle,CloseHandle,calloc,PyErr_NoMemory,CloseHandle,NtQueryInformationProcess,calloc,PyErr_NoMemory,free,CloseHandle,wcscpy_s,free,CloseHandle,	8_2_00007FFB0B086E80

Source: C:\Users\user\Desktop\Payload.exe

Code function: 8_2_00007FFB0B082B00: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle,

8_2_00007FFB0B082B00

Source: C:\Users\user\Desktop\Payload.exe

Code function: 8_2_00007FFB0BC75800 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,ExitWindowsEx,PyEval_RestoreThread,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,_Py_NoneStruct,_Py_NoneStruct,

8_2_00007FFB0BC75800

Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF6988189E0	4_2_00007FF6988189E0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698836964	4_2_00007FF698836964
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698835C00	4_2_00007FF698835C00
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698811000	4_2_00007FF698811000
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698821944	4_2_00007FF698821944
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698822164	4_2_00007FF698822164
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF6988239A4	4_2_00007FF6988239A4
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF69881A2DB	4_2_00007FF69881A2DB
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF69882DA5C	4_2_00007FF69882DA5C
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698833C10	4_2_00007FF698833C10
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698822C10	4_2_00007FF698822C10
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698836418	4_2_00007FF698836418
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF6988308C8	4_2_00007FF6988308C8
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698821B50	4_2_00007FF698821B50
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698825D30	4_2_00007FF698825D30
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF69881A474	4_2_00007FF69881A474
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF69881ACAD	4_2_00007FF69881ACAD
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698821D54	4_2_00007FF698821D54
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF69882E570	4_2_00007FF69882E570
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF6988235A0	4_2_00007FF6988235A0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF69882DEF0	4_2_00007FF69882DEF0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698839728	4_2_00007FF698839728
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698835E7C	4_2_00007FF698835E7C
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698829EA0	4_2_00007FF698829EA0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698819800	4_2_00007FF698819800
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698821740	4_2_00007FF698821740
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698821F60	4_2_00007FF698821F60
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698828794	4_2_00007FF698828794
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF6988308C8	4_2_00007FF6988308C8
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF6988280E4	4_2_00007FF6988280E4
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698831874	4_2_00007FF698831874
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF6988340AC	4_2_00007FF6988340AC
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698836964	8_2_00007FF698836964
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698835C00	8_2_00007FF698835C00
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698811000	8_2_00007FF698811000
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF6988189E0	8_2_00007FF6988189E0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698821944	8_2_00007FF698821944
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698822164	8_2_00007FF698822164
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF6988239A4	8_2_00007FF6988239A4
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF69881A2DB	8_2_00007FF69881A2DB
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF69882DA5C	8_2_00007FF69882DA5C
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698833C10	8_2_00007FF698833C10
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698822C10	8_2_00007FF698822C10
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698836418	8_2_00007FF698836418
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF6988308C8	8_2_00007FF6988308C8
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698821B50	8_2_00007FF698821B50
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698825D30	8_2_00007FF698825D30
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF69881A474	8_2_00007FF69881A474
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF69881ACAD	8_2_00007FF69881ACAD
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698821D54	8_2_00007FF698821D54
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF69882E570	8_2_00007FF69882E570
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF6988235A0	8_2_00007FF6988235A0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF69882DEF0	8_2_00007FF69882DEF0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698839728	8_2_00007FF698839728
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698835E7C	8_2_00007FF698835E7C
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698829EA0	8_2_00007FF698829EA0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698819800	8_2_00007FF698819800
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698821740	8_2_00007FF698821740
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698821F60	8_2_00007FF698821F60
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698828794	8_2_00007FF698828794
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF6988308C8	8_2_00007FF6988308C8
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF6988280E4	8_2_00007FF6988280E4
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698831874	8_2_00007FF698831874
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF6988340AC	8_2_00007FF6988340AC
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A664810	8_2_00007FFB0A664810
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A6645C0	8_2_00007FFB0A6645C0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A681D30	8_2_00007FFB0A681D30
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A682120	8_2_00007FFB0A682120
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A691F00	8_2_00007FFB0A691F00
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A6921E0	8_2_00007FFB0A6921E0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A6B1F80	8_2_00007FFB0A6B1F80
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A6C2380	8_2_00007FFB0A6C2380
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A6C2270	8_2_00007FFB0A6C2270
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A6C1D30	8_2_00007FFB0A6C1D30
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A6D2280	8_2_00007FFB0A6D2280
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A6D1D30	8_2_00007FFB0A6D1D30
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A6E2150	8_2_00007FFB0A6E2150
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A811DB0	8_2_00007FFB0A811DB0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A894070	8_2_00007FFB0A894070
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A8B7150	8_2_00007FFB0A8B7150
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B081E90	8_2_00007FFB0B081E90
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B088FA0	8_2_00007FFB0B088FA0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B082B00	8_2_00007FFB0B082B00
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B084E30	8_2_00007FFB0B084E30
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B086640	8_2_00007FFB0B086640
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B089A40	8_2_00007FFB0B089A40
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B082E70	8_2_00007FFB0B082E70
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B083970	8_2_00007FFB0B083970
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B0B4820	8_2_00007FFB0B0B4820
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B0B45D0	8_2_00007FFB0B0B45D0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B166BE0	8_2_00007FFB0B166BE0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B107C90	8_2_00007FFB0B107C90
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B0EAAB0	8_2_00007FFB0B0EAAB0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B174AB0	8_2_00007FFB0B174AB0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B0FBB70	8_2_00007FFB0B0FBB70
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B192B90	8_2_00007FFB0B192B90
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B100A50	8_2_00007FFB0B100A50
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B141A80	8_2_00007FFB0B141A80
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B159A70	8_2_00007FFB0B159A70
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B1908A0	8_2_00007FFB0B1908A0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B0E6948	8_2_00007FFB0B0E6948
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B125930	8_2_00007FFB0B125930
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B193960	8_2_00007FFB0B193960
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B0EE980	8_2_00007FFB0B0EE980
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B150FC0	8_2_00007FFB0B150FC0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B164FD0	8_2_00007FFB0B164FD0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B185FB0	8_2_00007FFB0B185FB0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B182080	8_2_00007FFB0B182080
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B196090	8_2_00007FFB0B196090
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B0E8F10	8_2_00007FFB0B0E8F10
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B186EF0	8_2_00007FFB0B186EF0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B10BF40	8_2_00007FFB0B10BF40
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B194F20	8_2_00007FFB0B194F20
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B127E10	8_2_00007FFB0B127E10
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B182DE0	8_2_00007FFB0B182DE0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B138DF0	8_2_00007FFB0B138DF0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B14DE70	8_2_00007FFB0B14DE70
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B139CD0	8_2_00007FFB0B139CD0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B0E3CA0	8_2_00007FFB0B0E3CA0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B0F8CF0	8_2_00007FFB0B0F8CF0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B102D20	8_2_00007FFB0B102D20
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B0E6D42	8_2_00007FFB0B0E6D42
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B2518A0	8_2_00007FFB0B2518A0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0BC73890	8_2_00007FFB0BC73890
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0BC74330	8_2_00007FFB0BC74330
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB608C8	17_2_00007FF74DB608C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB41000	17_2_00007FF74DB41000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB489E0	17_2_00007FF74DB489E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB66964	17_2_00007FF74DB66964
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB65C00	17_2_00007FF74DB65C00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB5DEF0	17_2_00007FF74DB5DEF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB59EA0	17_2_00007FF74DB59EA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB65E7C	17_2_00007FF74DB65E7C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB535A0	17_2_00007FF74DB535A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB5E570	17_2_00007FF74DB5E570
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB55D30	17_2_00007FF74DB55D30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB51D54	17_2_00007FF74DB51D54
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB580E4	17_2_00007FF74DB580E4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB640AC	17_2_00007FF74DB640AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB61874	17_2_00007FF74DB61874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB49800	17_2_00007FF74DB49800
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB51F60	17_2_00007FF74DB51F60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB58794	17_2_00007FF74DB58794
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB69728	17_2_00007FF74DB69728
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB51740	17_2_00007FF74DB51740
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB4A2DB	17_2_00007FF74DB4A2DB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB5DA5C	17_2_00007FF74DB5DA5C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB539A4	17_2_00007FF74DB539A4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB52164	17_2_00007FF74DB52164
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB51944	17_2_00007FF74DB51944
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB4ACAD	17_2_00007FF74DB4ACAD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB4A474	17_2_00007FF74DB4A474
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB66418	17_2_00007FF74DB66418
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB608C8	17_2_00007FF74DB608C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB63C10	17_2_00007FF74DB63C10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB52C10	17_2_00007FF74DB52C10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB51B50	17_2_00007FF74DB51B50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB41000	18_2_00007FF74DB41000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB66964	18_2_00007FF74DB66964
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB65C00	18_2_00007FF74DB65C00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB5DEF0	18_2_00007FF74DB5DEF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB59EA0	18_2_00007FF74DB59EA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB65E7C	18_2_00007FF74DB65E7C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB535A0	18_2_00007FF74DB535A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB5E570	18_2_00007FF74DB5E570
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB55D30	18_2_00007FF74DB55D30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB51D54	18_2_00007FF74DB51D54
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB580E4	18_2_00007FF74DB580E4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB640AC	18_2_00007FF74DB640AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB608C8	18_2_00007FF74DB608C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB61874	18_2_00007FF74DB61874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB49800	18_2_00007FF74DB49800
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB51F60	18_2_00007FF74DB51F60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB58794	18_2_00007FF74DB58794
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB69728	18_2_00007FF74DB69728
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB51740	18_2_00007FF74DB51740
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB4A2DB	18_2_00007FF74DB4A2DB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB5DA5C	18_2_00007FF74DB5DA5C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB489E0	18_2_00007FF74DB489E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB539A4	18_2_00007FF74DB539A4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB52164	18_2_00007FF74DB52164
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB51944	18_2_00007FF74DB51944
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB4ACAD	18_2_00007FF74DB4ACAD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB4A474	18_2_00007FF74DB4A474
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB66418	18_2_00007FF74DB66418
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB608C8	18_2_00007FF74DB608C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB63C10	18_2_00007FF74DB63C10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB52C10	18_2_00007FF74DB52C10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB51B50	18_2_00007FF74DB51B50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08CB23E0	18_2_00007FFB08CB23E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08CB1FB0	18_2_00007FFB08CB1FB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08CC4810	18_2_00007FFB08CC4810
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08CC45C0	18_2_00007FFB08CC45C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08CF21E0	18_2_00007FFB08CF21E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08CF1F00	18_2_00007FFB08CF1F00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08D22380	18_2_00007FFB08D22380
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08D22270	18_2_00007FFB08D22270
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08D21D30	18_2_00007FFB08D21D30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08D42150	18_2_00007FFB08D42150
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08D72230	18_2_00007FFB08D72230
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08E97150	18_2_00007FFB08E97150
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08EBAD30	18_2_00007FFB08EBAD30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08EB4F30	18_2_00007FFB08EB4F30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09681FD0	18_2_00007FFB09681FD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09682430	18_2_00007FFB09682430
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB096945D0	18_2_00007FFB096945D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09694820	18_2_00007FFB09694820
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09750A50	18_2_00007FFB09750A50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB097A9A70	18_2_00007FFB097A9A70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09791A80	18_2_00007FFB09791A80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09775930	18_2_00007FFB09775930
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09736948	18_2_00007FFB09736948
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB097E3960	18_2_00007FFB097E3960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0973E980	18_2_00007FFB0973E980
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB097E08A0	18_2_00007FFB097E08A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09757C90	18_2_00007FFB09757C90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB097B6BE0	18_2_00007FFB097B6BE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0974BB70	18_2_00007FFB0974BB70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB097E2B90	18_2_00007FFB097E2B90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0973AAB0	18_2_00007FFB0973AAB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB097C4AB0	18_2_00007FFB097C4AB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0979DE70	18_2_00007FFB0979DE70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB097D2DE0	18_2_00007FFB097D2DE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09788DF0	18_2_00007FFB09788DF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09777E10	18_2_00007FFB09777E10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09752D20	18_2_00007FFB09752D20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09736D42	18_2_00007FFB09736D42
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0973FD60	18_2_00007FFB0973FD60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09733CA0	18_2_00007FFB09733CA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09789CD0	18_2_00007FFB09789CD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09748CF0	18_2_00007FFB09748CF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB097D2080	18_2_00007FFB097D2080
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB097E6090	18_2_00007FFB097E6090
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB097D5FB0	18_2_00007FFB097D5FB0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB097A0FC0	18_2_00007FFB097A0FC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB097B4FD0	18_2_00007FFB097B4FD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB097E4F20	18_2_00007FFB097E4F20
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0975BF40	18_2_00007FFB0975BF40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB097D6EF0	18_2_00007FFB097D6EF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09738F10	18_2_00007FFB09738F10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB098A18A0	18_2_00007FFB098A18A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0A5B2220	18_2_00007FFB0A5B2220
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0A63C190	18_2_00007FFB0A63C190
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0A636310	18_2_00007FFB0A636310
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0A638C70	18_2_00007FFB0A638C70
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0A63A334	18_2_00007FFB0A63A334
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0A6319A0	18_2_00007FFB0A6319A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB1C8C8D30	18_2_00007FFB1C8C8D30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB1C8E8D50	18_2_00007FFB1C8E8D50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB1C965CC0	18_2_00007FFB1C965CC0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB1C8FACC4	18_2_00007FFB1C8FACC4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB1C8D6E30	18_2_00007FFB1C8D6E30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB1C92EE44	18_2_00007FFB1C92EE44
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB1C8EBE10	18_2_00007FFB1C8EBE10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB1DEE7B80	18_2_00007FFB1DEE7B80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB1DEE7F2A	18_2_00007FFB1DEE7F2A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB1DEE82D8	18_2_00007FFB1DEE82D8

Source: C:\Users\user\Desktop\Payload.exe	Code function: String function: 00007FFB0B081070 appears 43 times
Source: C:\Users\user\Desktop\Payload.exe	Code function: String function: 00007FF698812710 appears 104 times
Source: C:\Users\user\Desktop\Payload.exe	Code function: String function: 00007FFB0B0E9D60 appears 83 times
Source: C:\Users\user\Desktop\Payload.exe	Code function: String function: 00007FF698812910 appears 34 times
Source: C:\Users\user\Desktop\Payload.exe	Code function: String function: 00007FFB0B081D70 appears 39 times
Source: C:\Users\user\Desktop\Payload.exe	Code function: String function: 00007FFB0B0E8E10 appears 73 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: String function: 00007FFB09739D60 appears 84 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: String function: 00007FFB08EC02F0 appears 35 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: String function: 00007FFB09738E10 appears 73 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: String function: 00007FF74DB42710 appears 104 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: String function: 00007FFB08DCDD60 appears 47 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: String function: 00007FF74DB42910 appears 34 times

Source: unicodedata.pyd.4.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: api-ms-win-core-processthreads-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found
Source: python3.dll.4.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.4.dr	Static PE information: No import functions for PE file found

Source: Payload.exe	Binary or memory string: OriginalFilename vs Payload.exe
Source: Payload.exe, 00000008.00000002.2574676712.00007FFB0BDD2000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Payload.exe
Source: Payload.exe, 00000008.00000002.2583210485.00007FFB1AB17000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Payload.exe
Source: Payload.exe, 00000008.00000002.2588687903.00007FFB1E68A000.00000002.00000001.01000000.0000001F.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs Payload.exe
Source: Payload.exe, 00000008.00000002.2571215281.00007FFB0B65E000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs Payload.exe
Source: Payload.exe, 00000008.00000002.2580045645.00007FFB0C49C000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs Payload.exe
Source: Payload.exe, 00000008.00000002.2582613506.00007FFB18B8B000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Payload.exe
Source: Payload.exe, 00000008.00000002.2579064825.00007FFB0C397000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamepython311.dll. vs Payload.exe
Source: Payload.exe, 00000008.00000002.2580482729.00007FFB167B5000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Payload.exe
Source: Payload.exe, 00000008.00000002.2587070095.00007FFB1D5B6000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs Payload.exe
Source: Payload.exe, 00000008.00000002.2574129448.00007FFB0BD71000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilenamepywintypes311.dll0 vs Payload.exe
Source: Payload.exe, 00000008.00000002.2586518780.00007FFB1CD2B000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs Payload.exe
Source: Payload.exe, 00000008.00000002.2574419936.00007FFB0BDAE000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs Payload.exe
Source: Payload.exe, 00000008.00000002.2565018728.00007FFB0A804000.00000002.00000001.01000000.0000003E.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs Payload.exe
Source: Payload.exe, 00000008.00000002.2587334213.00007FFB1D896000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Payload.exe
Source: Payload.exe, 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs Payload.exe
Source: Payload.exe, 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs Payload.exe
Source: Payload.exe, 00000008.00000002.2586782707.00007FFB1D349000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs Payload.exe
Source: Payload.exe, 00000008.00000002.2571003316.00007FFB0B63E000.00000002.00000001.01000000.0000001B.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Payload.exe
Source: Payload.exe, 00000008.00000002.2572566768.00007FFB0BB53000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs Payload.exe
Source: Payload.exe, 00000008.00000002.2581594515.00007FFB174D2000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Payload.exe
Source: Payload.exe, 00000008.00000002.2569383006.00007FFB0B240000.00000002.00000001.01000000.00000020.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs Payload.exe
Source: Payload.exe, 00000008.00000002.2540131598.00000208142F0000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs Payload.exe
Source: Payload.exe, 00000008.00000002.2573875566.00007FFB0BD44000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilenamepythoncom311.dll0 vs Payload.exe
Source: Payload.exe, 00000008.00000002.2542221738.0000020814DB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs Payload.exe
Source: Payload.exe, 00000008.00000002.2572914355.00007FFB0BC30000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Payload.exe
Source: Payload.exe, 00000008.00000002.2573274090.00007FFB0BC69000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Payload.exe
Source: Payload.exe, 00000011.00000003.1534492530.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1535857657.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1517669281.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Payload.exe
Source: Payload.exe, 00000011.00000003.1527613096.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1516375959.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs Payload.exe
Source: Payload.exe, 00000011.00000003.1534939724.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1529285605.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1535122836.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1536245243.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1517913162.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs Payload.exe
Source: Payload.exe, 00000011.00000003.1536150494.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1535758153.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1543133337.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs Payload.exe
Source: Payload.exe, 00000011.00000003.1522273413.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1521477292.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1516984010.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs Payload.exe
Source: Payload.exe, 00000011.00000003.1522056736.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1528209831.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1516620675.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Payload.exe
Source: Payload.exe, 00000011.00000003.1525976493.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1541754025.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Payload.exe
Source: Payload.exe, 00000011.00000003.1522624454.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1515744136.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Payload.exe
Source: Payload.exe, 00000011.00000003.1521838312.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1534637312.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1516117123.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Payload.exe
Source: Payload.exe, 00000011.00000003.1515234510.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs Payload.exe
Source: Payload.exe, 00000011.00000003.1518557370.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs Payload.exe
Source: Payload.exe, 00000011.00000003.1523524331.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1515059516.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs Payload.exe
Source: Payload.exe, 00000011.00000003.1536045528.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1520542882.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1533971013.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1530656784.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1514453946.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32ui.pyd0 vs Payload.exe
Source: Payload.exe, 00000011.00000003.1522448538.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1523190235.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1534133545.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1526919786.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1520906605.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1523845563.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1517294731.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs Payload.exe
Source: Payload.exe, 00000011.00000003.1524827877.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1525585820.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1520245423.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1535938916.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1534844534.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Payload.exe
Source: Payload.exe, 00000011.00000003.1527988559.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1524126722.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1520339980.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1522902662.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1514810535.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Payload.exe
Source: Payload.exe, 00000011.00000003.1521263500.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1517465555.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs Payload.exe
Source: Payload.exe, 00000011.00000003.1535485925.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000011.00000003.1518356296.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Payload.exe
Source: Payload.exe	Binary or memory string: OriginalFilename vs Payload.exe
Source: Payload.exe, 00000012.00000002.2584908418.00007FFB1C9AC000.00000002.00000001.01000000.00000054.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs Payload.exe

Source: classification engine

Classification label: mal92.troj.adwa.evad.winEXE@28/399@1/1

Source: C:\Users\user\Desktop\Payload.exe

Code function: 8_2_00007FFB0BC73890 _PyArg_ParseTuple_SizeT,GetLastError,?PyWin_GetErrorMessageModule@@YAPEAUHINSTANCE__@@K@Z,FormatMessageW,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W@Z,PyErr_Clear,_PyArg_ParseTuple_SizeT,?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,?PyWinSequence_Tuple@@YAPEAU_object@@PEAU1@PEAK@Z,malloc,PyErr_NoMemory,memset,?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z,PyEval_SaveThread,FormatMessageW,PyEval_RestoreThread,PyExc_SystemError,PyErr_SetString,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W@Z,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,free,?PyWinObject_FreeWCHAR@@YAXPEA_W@Z,LocalFree,_Py_Dealloc,

8_2_00007FFB0BC73890

Source: C:\Users\user\Desktop\Payload.exe

Code function: 8_2_00007FFB0B087E20 GetCurrentProcess,OpenProcessToken,GetLastError,ImpersonateSelf,OpenProcessToken,GetLastError,PyErr_SetFromWindowsErrWithFilename,LookupPrivilegeValueA,GetLastError,PyErr_SetFromWindowsErrWithFilename,AdjustTokenPrivileges,GetLastError,PyErr_SetFromWindowsErrWithFilename,AdjustTokenPrivileges,RevertToSelf,CloseHandle,

8_2_00007FFB0B087E20

Source: C:\Users\user\Desktop\Payload.exe

Code function: 8_2_00007FFB0B082A30 PyArg_ParseTuple,PyUnicode_AsWideCharString,PyEval_SaveThread,GetDiskFreeSpaceExW,PyEval_RestoreThread,PyMem_Free,PyExc_OSError,PyErr_SetExcFromWindowsErrWithFilenameObject,Py_BuildValue,

8_2_00007FFB0B082A30

Source: C:\Users\user\Desktop\Payload.exe

Code function: 8_2_00007FFB0B084E30 PyList_New,PyArg_ParseTuple,CreateToolhelp32Snapshot,_Py_Dealloc,CloseHandle,CloseHandle,Thread32First,OpenThread,GetThreadTimes,Py_BuildValue,PyList_Append,_Py_Dealloc,CloseHandle,Thread32Next,CloseHandle,_Py_Dealloc,

8_2_00007FFB0B084E30

Source: C:\Users\user\Desktop\Payload.exe

Code function: 8_2_00007FFB0BC7CBC0 _PyArg_ParseTuple_SizeT,?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z,?PyWinObject_AsResourceId@@YAHPEAU_object@@PEAPEA_WH@Z,?PyWinObject_AsResourceId@@YAHPEAU_object@@PEAPEA_WH@Z,?init@PyWinBufferView@@QEAA_NPEAU_object@@_N1@Z,UpdateResourceW,_Py_NoneStruct,_Py_NoneStruct,?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z,?PyWinObject_FreeResourceId@@YAXPEA_W@Z,?PyWinObject_FreeResourceId@@YAXPEA_W@Z,??1PyWinBufferView@@QEAA@XZ,

8_2_00007FFB0BC7CBC0

Source: C:\Users\user\Desktop\Payload.exe

Code function: 8_2_00007FFB0B088B10 PyArg_ParseTuple,StartServiceA,CloseServiceHandle,CloseServiceHandle,_Py_NoneStruct,_Py_NoneStruct,

8_2_00007FFB0B088B10

Source: C:\Users\user\Desktop\Payload.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03

Source: C:\Users\user\Desktop\Payload.exe

File created: C:\Users\user~1\AppData\Local\Temp\_MEI70282

Jump to behavior

Source: Payload.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payload.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Payload.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT action_url, username_value, password_value FROM logins;
Source: Payload.exe, 00000008.00000002.2569256358.00007FFB0B20E000.00000002.00000001.01000000.00000020.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Payload.exe, 00000008.00000002.2546167369.0000020816760000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2546010178.000002298AD40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT host_key, path, is_secure, expires_utc, name, value, encrypted_value, is_httponly FROM cookies WHERE host_key like ?;
Source: Payload.exe, 00000008.00000002.2546167369.0000020816760000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2546010178.000002298AD40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT host_key, path, secure, expires_utc, name, value, encrypted_value, is_httponly FROM cookies WHERE host_key like ?;
Source: Payload.exe, 00000008.00000002.2569256358.00007FFB0B20E000.00000002.00000001.01000000.00000020.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Payload.exe, 00000008.00000002.2569256358.00007FFB0B20E000.00000002.00000001.01000000.00000020.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Payload.exe, 00000008.00000002.2569256358.00007FFB0B20E000.00000002.00000001.01000000.00000020.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: Payload.exe	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Payload.exe, 00000008.00000002.2569256358.00007FFB0B20E000.00000002.00000001.01000000.00000020.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Payload.exe, 00000008.00000002.2569256358.00007FFB0B20E000.00000002.00000001.01000000.00000020.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: Payload.exe

ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\Payload.exe

File read: C:\Users\user\Desktop\Payload.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payload.exe "C:\Users\user\Desktop\Payload.exe"
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Users\user\Desktop\Payload.exe "C:\Users\user\Desktop\Payload.exe"
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Users\user\Desktop\Payload.exe "C:\Users\user\Desktop\Payload.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

Source: C:\Users\user\Desktop\Payload.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll

Source: C:\Users\user\Desktop\Payload.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Payload.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Payload.exe

Static file information: File size 26241148 > 1048576

Source: Payload.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Payload.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Payload.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Payload.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Payload.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Payload.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Payload.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Payload.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1535857657.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptography_rust.pdbc source: Payload.exe, 00000008.00000002.2567377200.00007FFB0AE9A000.00000002.00000001.01000000.00000036.sdmp
Source:	Binary string: ucrtbase.pdb source: Payload.exe, 00000008.00000002.2579822024.00007FFB0C461000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: Payload.exe, 00000011.00000003.1521477292.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1520542882.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1528209831.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1534637312.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1523190235.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescrypto\engine\tb_digest.cENGINE_get_digestcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: Payload.exe, 00000008.00000002.2567377200.00007FFB0AE9A000.00000002.00000001.01000000.00000036.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1534844534.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1522273413.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: Payload.exe, 00000008.00000002.2567377200.00007FFB0AE9A000.00000002.00000001.01000000.00000036.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Payload.exe, 00000008.00000002.2586691438.00007FFB1D345000.00000002.00000001.01000000.00000012.sdmp, Payload.exe, 00000011.00000003.1515059516.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1534492530.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: Payload.exe, 00000008.00000002.2582405838.00007FFB18B80000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1534637312.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1524126722.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1536150494.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1520245423.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1529285605.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1523845563.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Payload.exe, 00000008.00000002.2580291866.00007FFB167AC000.00000002.00000001.01000000.0000000C.sdmp, Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1525585820.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1521263500.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1534492530.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1536150494.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pywintypes.pdb** source: Payload.exe, 00000008.00000002.2574029356.00007FFB0BD60000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1522056736.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1528209831.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: Payload.exe, 00000011.00000003.1527988559.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1523845563.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pythoncom.pdb source: Payload.exe, 00000008.00000002.2573645339.00007FFB0BCFC000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: Payload.exe, 00000008.00000002.2586406348.00007FFB1CD26000.00000002.00000001.01000000.00000019.sdmp, Payload.exe, 00000011.00000003.1517294731.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1535485925.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Payload.exe, 00000008.00000002.2582941373.00007FFB1AB11000.00000002.00000001.01000000.00000007.sdmp, Payload.exe, 00000011.00000003.1514810535.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: Payload.exe, 00000011.00000003.1522902662.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1526919786.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1536045528.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: Payload.exe, 00000011.00000003.1524827877.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1520542882.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1522624454.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: Payload.exe, 00000011.00000003.1522902662.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: Payload.exe, 00000008.00000002.2587231264.00007FFB1D893000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1523524331.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1535485925.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1525976493.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1520245423.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1535758153.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1536245243.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: Payload.exe, 00000008.00000002.2564873676.00007FFB0A802000.00000002.00000001.01000000.0000003E.sdmp, Payload.exe, 00000011.00000003.1518557370.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1527613096.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1522448538.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pywintypes.pdb source: Payload.exe, 00000008.00000002.2574029356.00007FFB0BD60000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1525976493.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: Payload.exe, 00000008.00000002.2572843995.00007FFB0BBF5000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1534844534.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1536045528.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: Payload.exe, 00000008.00000002.2573110108.00007FFB0BC4D000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\win32api.pdb source: Payload.exe, 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1534939724.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1523190235.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: Payload.exe, 00000008.00000002.2572031863.00007FFB0BA12000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1535938916.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Payload.exe, 00000008.00000002.2582941373.00007FFB1AB11000.00000002.00000001.01000000.00000007.sdmp, Payload.exe, 00000011.00000003.1514810535.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: Payload.exe, 00000011.00000003.1516984010.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1530656784.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1527613096.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1522273413.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1535122836.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1522056736.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Payload.exe, 00000008.00000002.2570926051.00007FFB0B637000.00000002.00000001.01000000.0000001B.sdmp, Payload.exe, 00000011.00000003.1516620675.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1520906605.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1524126722.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: Payload.exe, 00000008.00000002.2571115541.00007FFB0B657000.00000002.00000001.01000000.00000018.sdmp, Payload.exe, 00000011.00000003.1515234510.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1521263500.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: Payload.exe, 00000011.00000003.1527988559.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: Payload.exe, 00000008.00000002.2574311367.00007FFB0BDA2000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1535758153.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1534133545.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1530656784.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1520339980.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Payload.exe, 00000008.00000002.2581443924.00007FFB174CD000.00000002.00000001.01000000.0000000B.sdmp, Payload.exe, 00000011.00000003.1515744136.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1520906605.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: Payload.exe, 00000008.00000002.2579822024.00007FFB0C461000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Payload.exe, 00000008.00000002.2574578235.00007FFB0BDC8000.00000002.00000001.01000000.0000000D.sdmp, Payload.exe, 00000011.00000003.1517669281.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptography_rust.pdb source: Payload.exe, 00000008.00000002.2567377200.00007FFB0AE9A000.00000002.00000001.01000000.00000036.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Payload.exe, 00000008.00000002.2586691438.00007FFB1D345000.00000002.00000001.01000000.00000012.sdmp, Payload.exe, 00000011.00000003.1515059516.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1534133545.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1535938916.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Payload.exe, 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmp, Payload.exe, 00000012.00000002.2570327513.00007FFB099B0000.00000002.00000001.01000000.0000006D.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: Payload.exe, 00000008.00000002.2572031863.00007FFB0BA12000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: crypto\bn\bn_ctx.cBN_CTX_startBN_CTX_getossl_ec_group_new_excrypto\ec\ec_lib.cEC_GROUP_copyEC_GROUP_set_generatorEC_GROUP_set_curveEC_GROUP_get_curveEC_GROUP_get_degreeEC_GROUP_check_discriminantEC_POINT_newEC_POINT_copyEC_POINT_set_to_infinityEC_POINT_set_Jprojective_coordinates_GFpEC_POINT_set_affine_coordinatesEC_POINT_get_affine_coordinatesEC_POINT_addEC_POINT_dblEC_POINT_invertEC_POINT_is_at_infinityEC_POINT_is_on_curveEC_POINT_cmpEC_POINT_mulEC_GROUP_get_trinomial_basisEC_GROUP_get_pentanomial_basisgroup_new_from_nameossl_ec_group_set_paramsencodingdecoded-from-explicitEC_GROUP_new_from_paramsgeneratorcrypto\evp\digest.cevp_md_ctx_new_exevp_md_ctx_free_algctxevp_md_init_internalEVP_DigestUpdatesizeEVP_DigestFinal_exassertion failed: mdsize <= EVP_MAX_MD_SIZEEVP_DigestFinalXOFxoflenEVP_MD_CTX_copy_exEVP_MD_CTX_ctrlmicalgssl3-msblocksizexofalgid-absentevp_md_from_algorithmupdatecrypto\evp\m_sigver.cUNDEFdo_sigver_initEVP_DigestSignUpdateEVP_DigestVerifyUpdateEVP_DigestSignFinalEVP_DigestSignEVP_DigestVerifyFinalEVP_DigestVerifycompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.3.2built on: Fri Oct 18 00:15:00 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: Payload.exe, 00000008.00000002.2567377200.00007FFB0AE9A000.00000002.00000001.01000000.00000036.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: Payload.exe, 00000011.00000003.1521477292.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1525585820.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1520339980.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1533971013.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\win32api.pdb!! source: Payload.exe, 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: Payload.exe, 00000008.00000002.2569256358.00007FFB0B20E000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1535122836.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1522448538.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: Payload.exe, 00000008.00000002.2575133612.00007FFB0C15B000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1534939724.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1536245243.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1529285605.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1526919786.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: Payload.exe, 00000008.00000002.2572843995.00007FFB0BBF5000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: Payload.exe, 00000011.00000003.1521838312.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: Payload.exe, 00000008.00000002.2580291866.00007FFB167AC000.00000002.00000001.01000000.0000000C.sdmp, Payload.exe, 00000011.00000003.1516792514.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: Payload.exe, 00000011.00000003.1522624454.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Payload.exe, 00000008.00000002.2586956857.00007FFB1D5B3000.00000002.00000001.01000000.00000010.sdmp, Payload.exe, 00000011.00000003.1517465555.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1523524331.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1535857657.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pythoncom.pdb}},GCTL source: Payload.exe, 00000008.00000002.2573645339.00007FFB0BCFC000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: Payload.exe, 00000008.00000002.2588569490.00007FFB1E67E000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: Payload.exe, 00000011.00000003.1524827877.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: Payload.exe, 00000008.00000002.2540131598.00000208142F0000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: Payload.exe, 00000011.00000003.1533971013.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp

Source: Payload.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Payload.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Payload.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Payload.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Payload.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: api-ms-win-core-console-l1-1-0.dll.4.dr

Static PE information: 0x975A648E [Sun Jun 19 20:33:18 2050 UTC]

Source: C:\Users\user\Desktop\Payload.exe

Code function: 8_2_00007FFB0BC7ED20 ?PyWinGlobals_Ensure@@YAHXZ,PyModule_Create2,PyModule_GetDict,?PyWinExc_ApiError@@3PEAU_object@@EA,PyDict_SetItemString,PyLong_FromLong,PyDict_SetItemString,PyLong_FromLong,PyDict_SetItemString,PyLong_FromLong,PyDict_SetItemString,PyType_Ready,PyDict_SetItemString,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,GetModuleHandleW,LoadLibraryExW,GetProcAddressForCaller,GetProcAddress,GetModuleHandleW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_00007FFB0BC7ED20

Source: libcrypto-3.dll.4.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.4.dr	Static PE information: section name: .00cfg
Source: python311.dll.4.dr	Static PE information: section name: PyRuntim
Source: mfc140u.dll.4.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.4.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08DC9913 push rcx; retn 0000h		18_2_00007FFB08DC9914
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08DC900D push rdi; retf		18_2_00007FFB08DC900E

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\Payload.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, \\.\PhysicalDrive%d	8_2_00007FFB0B082B00
Source: C:\Users\user\Desktop\Payload.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, PhysicalDrive%i	8_2_00007FFB0B082B00
Source: C:\Users\user\Desktop\Payload.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i	8_2_00007FFB0B082B00
Source: C:\Users\user\Desktop\Payload.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i	8_2_00007FFB0B082B00

Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\_cffi_backend.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\aiohttp\_websocket.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\lz4\block\_block.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\_cffi_backend.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\lz4\_version.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\multidict\_multidict.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\aiohttp\_websocket.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\aiohttp\_helpers.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\_brotli.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\aiohttp\_http_parser.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\aiohttp\_http_parser.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\multidict\_multidict.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\yarl\_quoting_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\yarl\_quoting_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\pywin32_system32\pythoncom311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\lz4\_version.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\pywin32_system32\pythoncom311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\propcache\_helpers_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\aiohttp\_http_writer.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\_brotli.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\lz4\block\_block.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\pywin32_system32\pywintypes311.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\aiohttp\_http_writer.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\python311.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\frozenlist\_frozenlist.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\frozenlist\_frozenlist.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\pywin32_system32\pywintypes311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\aiohttp\_helpers.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\propcache\_helpers_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\Payload.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, \\.\PhysicalDrive%d	8_2_00007FFB0B082B00
Source: C:\Users\user\Desktop\Payload.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, PhysicalDrive%i	8_2_00007FFB0B082B00
Source: C:\Users\user\Desktop\Payload.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i	8_2_00007FFB0B082B00
Source: C:\Users\user\Desktop\Payload.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i	8_2_00007FFB0B082B00

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\Payload.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Payload.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe

Jump to behavior

Source: C:\Users\user\Desktop\Payload.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe

Jump to behavior

Source: C:\Users\user\Desktop\Payload.exe

Code function: 8_2_00007FFB0B088B10 PyArg_ParseTuple,StartServiceA,CloseServiceHandle,CloseServiceHandle,_Py_NoneStruct,_Py_NoneStruct,

8_2_00007FFB0B088B10

Source: C:\Users\user\Desktop\Payload.exe

Code function: 4_2_00007FF6988176C0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

4_2_00007FF6988176C0

Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Payload.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: QEMU-GA.EXE
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMUSRVC.EXE
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEIL-L1-1-0.DLL
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: XENSERVICE.EXE
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\Payload.exe

Code function: PyList_New,OpenSCManagerA,GetLastError,PyErr_SetFromWindowsErrWithFilename,EnumServicesStatusExW,GetLastError,free,malloc,EnumServicesStatusExW,PyUnicode_FromWideChar,PyUnicode_FromWideChar,Py_BuildValue,PyList_Append,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,CloseServiceHandle,free,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,CloseServiceHandle,free,

8_2_00007FFB0B0881E0

Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\_cffi_backend.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\aiohttp\_websocket.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\lz4\block\_block.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\_cffi_backend.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\lz4\_version.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\multidict\_multidict.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\aiohttp\_websocket.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\aiohttp\_helpers.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\_brotli.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\aiohttp\_http_parser.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\aiohttp\_http_parser.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\multidict\_multidict.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\yarl\_quoting_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\yarl\_quoting_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\pywin32_system32\pythoncom311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\lz4\_version.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\pywin32_system32\pythoncom311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\propcache\_helpers_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\aiohttp\_http_writer.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\_brotli.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\lz4\block\_block.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\pywin32_system32\pywintypes311.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\aiohttp\_http_writer.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\python311.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\frozenlist\_frozenlist.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\frozenlist\_frozenlist.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\pywin32_system32\pywintypes311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\aiohttp\_helpers.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\propcache\_helpers_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\Payload.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_4-17676

Source: C:\Users\user\Desktop\Payload.exe	API coverage: 2.7 %
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	API coverage: 1.1 %

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Users\user\Desktop\Payload.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698819280 FindFirstFileExW,FindClose,	4_2_00007FF698819280
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF6988183C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	4_2_00007FF6988183C0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF698831874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	4_2_00007FF698831874
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698819280 FindFirstFileExW,FindClose,	8_2_00007FF698819280
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF6988183C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00007FF6988183C0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF698831874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	8_2_00007FF698831874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB49280 FindFirstFileExW,FindClose,	17_2_00007FF74DB49280
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB61874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	17_2_00007FF74DB61874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB483C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	17_2_00007FF74DB483C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB49280 FindFirstFileExW,FindClose,	18_2_00007FF74DB49280
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB61874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	18_2_00007FF74DB61874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB483C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	18_2_00007FF74DB483C0

Source: C:\Users\user\Desktop\Payload.exe

8_2_00007FFB0B082E70

Source: C:\Users\user\Desktop\Payload.exe

Code function: 8_2_00007FFB0B0818C0 PyModule_Create2,getenv,RtlGetVersion,GetSystemInfo,InitializeCriticalSection,PyModule_GetState,PyErr_NewException,_Py_Dealloc,PyErr_NewException,PyModule_AddObject,PyErr_NewException,PyModule_AddObject,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,

8_2_00007FFB0B0818C0

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray.exe
Source: Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware
Source: Payload.exe, 00000011.00000003.1537143575.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: System32\vmGuestLib.dll
Source: Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray.exe
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc.exe
Source: Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMwareTray.exe
Source: Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd.exe
Source: Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe
Source: Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga.exe
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: System32\vmGuestLib.dll-info
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxmrxnp.dll
Source: Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware_dll
Source: Payload.exe, 00000008.00000003.1332958855.0000020814B0D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2541700662.0000020814ACD000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1336798727.0000020814ACD000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1335718562.0000020814ACD000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1338593436.0000020814ACD000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334122952.0000020814B0C000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334911075.0000020814B0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllLc
Source: Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc.exe
Source: Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice.exe

Source: C:\Windows\System32\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Payload.exe

Code function: 4_2_00007FF69882A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00007FF69882A614

Source: C:\Users\user\Desktop\Payload.exe

8_2_00007FFB0BC7ED20

Source: C:\Users\user\Desktop\Payload.exe

Code function: 4_2_00007FF698833480 GetProcessHeap,

4_2_00007FF698833480

Source: C:\Users\user\Desktop\Payload.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF69881D30C SetUnhandledExceptionFilter,	4_2_00007FF69881D30C
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF69882A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF69882A614
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF69881D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF69881D12C
Source: C:\Users\user\Desktop\Payload.exe	Code function: 4_2_00007FF69881C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FF69881C8A0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF69881D30C SetUnhandledExceptionFilter,	8_2_00007FF69881D30C
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF69882A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF69882A614
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF69881D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF69881D12C
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FF69881C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF69881C8A0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A661390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFB0A661390
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A661960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFB0A661960
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A681390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFB0A681390
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A681960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFB0A681960
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A691390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFB0A691390
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A691960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFB0A691960
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A6B1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFB0A6B1390
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A6B1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFB0A6B1960
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A6C1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFB0A6C1390
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A6C1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFB0A6C1960
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A6D1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFB0A6D1390
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A6D1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFB0A6D1960
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A6E1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFB0A6E1390
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A6E1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFB0A6E1960
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A815620 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFB0A815620
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A815060 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFB0A815060
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A897D20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFB0A897D20
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A8982E0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFB0A8982E0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A8BC750 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFB0A8BC750
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A8BC190 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFB0A8BC190
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A8F6460 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFB0A8F6460
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0A8F5EA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFB0A8F5EA0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B08A0C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFB0B08A0C0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B08A9E8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFB0B08A9E8
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B0B1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFB0B0B1960
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B0B1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFB0B0B1390
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B20CAF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFB0B20CAF0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B253058 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFB0B253058
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0B252A90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFB0B252A90
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0BC817E8 SetUnhandledExceptionFilter,	8_2_00007FFB0BC817E8
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0BC81600 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FFB0BC81600
Source: C:\Users\user\Desktop\Payload.exe	Code function: 8_2_00007FFB0BC809FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FFB0BC809FC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB5A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00007FF74DB5A614
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB4C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00007FF74DB4C8A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB4D30C SetUnhandledExceptionFilter,	17_2_00007FF74DB4D30C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 17_2_00007FF74DB4D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00007FF74DB4D12C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB5A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FF74DB5A614
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB4C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FF74DB4C8A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB4D30C SetUnhandledExceptionFilter,	18_2_00007FF74DB4D30C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FF74DB4D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FF74DB4D12C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08CB1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB08CB1960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08CB1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB08CB1390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08CC1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB08CC1960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08CC1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB08CC1390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08CF1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB08CF1960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08CF1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB08CF1390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08D21390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB08D21390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08D21960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB08D21960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08D41390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB08D41390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08D41960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB08D41960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08D71390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB08D71390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08D71960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB08D71960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08D91390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB08D91390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08D91960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB08D91960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08DA1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB08DA1390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08DA1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB08DA1960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08DCEF80 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB08DCEF80
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08DCE9C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB08DCE9C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08E9C190 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB08E9C190
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08E9C750 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB08E9C750
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08EC0E90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB08EC0E90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08EC1450 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB08EC1450
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08ED6460 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB08ED6460
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB08ED5EA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB08ED5EA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09681390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB09681390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09681960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB09681960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09691390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB09691390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB09691960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB09691960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0985CAF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB0985CAF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB098A3058 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB098A3058
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB098A2A90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB098A2A90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0A5B1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB0A5B1390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0A5B1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB0A5B1960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0A5D1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB0A5D1390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0A5D1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB0A5D1960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0A5E1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB0A5E1390
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0A5E1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB0A5E1960
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0A63FE90 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB0A63FE90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0A63F8C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB0A63F8C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0B4813F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FFB0B4813F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 18_2_00007FFB0B4819C0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FFB0B4819C0

Source: C:\Users\user\Desktop\Payload.exe

Code function: 8_2_00007FFB0BC7D9C0 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,keybd_event,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,

8_2_00007FFB0BC7D9C0

Source: C:\Users\user\Desktop\Payload.exe

Code function: 8_2_00007FFB0BC7DA60 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,mouse_event,PyEval_RestoreThread,_Py_NoneStruct,_Py_NoneStruct,

8_2_00007FFB0BC7DA60

Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Users\user\Desktop\Payload.exe "C:\Users\user\Desktop\Payload.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

Source: C:\Users\user\Desktop\Payload.exe

Code function: 4_2_00007FF698839570 cpuid

4_2_00007FF698839570

Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\attrs-24.2.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\attrs-24.2.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\attrs-24.2.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\cryptography-43.0.3.dist-info\license_files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\lz4-4.3.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\lz4-4.3.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\lz4-4.3.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\lz4-4.3.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\lz4 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-console-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-debug-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-errorhandling-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-file-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-file-l1-2-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-file-l2-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-handle-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-heap-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-interlocked-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-libraryloader-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-memory-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-processthreads-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-processthreads-l1-1-1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-rtlsupport-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-math-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\attrs-24.2.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\libssl-3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\sqlite3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\_multiprocessing.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\pywin32_system32\pywintypes311.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\pywin32_system32\pythoncom311.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70282 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payload.exe

Code function: 4_2_00007FF69881D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_00007FF69881D010

Source: C:\Users\user\Desktop\Payload.exe

Code function: 4_2_00007FF698835C00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

4_2_00007FF698835C00

Source: C:\Users\user\Desktop\Payload.exe

8_2_00007FFB0B0818C0

Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: wireshark.exe
Source: Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ollydbg.exe

Stealing of Sensitive Information

Yara detected BLX Stealer

Source: Yara match	File source: 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 7884, type: MEMORYSTR

Yara detected XLABB Grabber

Source: Yara match	File source: 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 7884, type: MEMORYSTR

Yara detected Generic Python Stealer

Source: Yara match

File source: Process Memory Space: Payload.exe PID: 7372, type: MEMORYSTR

Source: Yara match

File source: Process Memory Space: Payload.exe PID: 7372, type: MEMORYSTR

Remote Access Functionality

Yara detected BLX Stealer

Source: Yara match	File source: 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 7884, type: MEMORYSTR

Yara detected XLABB Grabber

Source: Yara match	File source: 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 7884, type: MEMORYSTR

Yara detected Generic Python Stealer

Source: Yara match

File source: Process Memory Space: Payload.exe PID: 7372, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	11 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 Windows Service	1 Access Token Manipulation	2 Obfuscated Files or Information	LSASS Memory	1 System Service Discovery	Remote Desktop Protocol	11 Input Capture	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	12 Registry Run Keys / Startup Folder	1 Windows Service	1 Timestomp	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Bootkit	11 Process Injection	1 DLL Side-Loading	NTDS	36 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Registry Run Keys / Startup Folder	1 Masquerading	LSA Secrets	251 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Virtualization/Sandbox Evasion	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Bootkit	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payload.exe	58%	ReversingLabs	Win64.Trojan.PyngoStealerMarte
Payload.exe	100%	Avira	OSX/GM.ReverseShe.TH

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_curve25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_curve448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_ed25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_ed448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_aes.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
http://repository.swisssign.com/d	0%	Avira URL Cloud	safe
https://api.myip.comot-info	0%	Avira URL Cloud	safe
https://lz4.github.io/lz4/	0%	Avira URL Cloud	safe
https://docs.aiohttp.org/en/stable/client_advanced.html#client-tracing	0%	Avira URL Cloud	safe
http://python-lz4.readthedocs.io/en/stable/	0%	Avira URL Cloud	safe
https://superfurrycdn.nl/copy/	0%	Avira URL Cloud	safe
https://127.0.0.1:8443	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://discord.com/channels/	Payload.exe, 00000008.00000002.2550962626.0000020818670000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl)	Payload.exe, 00000008.00000002.2544318194.0000020815B9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues/8996	Payload.exe, 00000008.00000002.2567377200.00007FFB0AE9A000.00000002.00000001.01000000.00000036.sdmp	false		high
https://github.com/giampaolo/psutil/issues/875.	Payload.exe, 00000008.00000002.2546925831.0000020816AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python-attrs/attrs/issues/251	Payload.exe, 00000008.00000002.2541700662.0000020814A51000.00000004.00000020.00020000.00000000.sdmp	false		high
https://coinbase.com)	Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://i.scdn.co/image/	Payload.exe, 00000008.00000002.2550962626.0000020818670000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.ipify.org/2	Payload.exe, 00000008.00000002.2552484640.0000020818B90000.00000004.00001000.00020000.00000000.sdmp	false		high
https://discord.com/developers/applications/	Payload.exe, 00000008.00000002.2550815163.0000020818570000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/aio-libs/aiohttp/discussions/6044	Payload.exe, 00000008.00000002.2547500969.0000020816DD2000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tiktok.com)	Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	false		high
http://docs.python.org/library/unittest.html	Payload.exe, 00000008.00000002.2543636227.000002081597E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://python.org	Payload.exe, 00000008.00000002.2547500969.0000020816DD2000.00000004.00001000.00020000.00000000.sdmp	false		high
https://discord.com)	Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	Payload.exe, 00000008.00000003.1328832680.0000020812B10000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2541346923.00000208147B0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1330982188.0000020812B0B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2539508952.0000020812AAA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/attachments/1207404349177724988/1247483882857828352/Picsart_24-06-04_12-3	Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/sponsors/hynek	Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com/api/v	Payload.exe, 00000008.00000002.2550815163.0000020818570000.00000004.00001000.00020000.00000000.sdmp	false		high
http://goo.gl/zeJZl.	Payload.exe, 00000008.00000002.2546925831.0000020816AF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/LICENSE-2.0	Payload.exe, 00000011.00000003.1537969005.000002BE1CC65000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1537899190.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1537899190.000002BE1CC64000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	Payload.exe, 00000008.00000003.1335718562.0000020814A62000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1336282130.0000020814A62000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2541700662.0000020814A51000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334911075.0000020814A62000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1338593436.0000020814A51000.00000004.00000020.00020000.00000000.sdmp	false		high
https://paypal.com)	Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/pypa/packaging	Payload.exe, 00000008.00000002.2543028313.00000208153C0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543419271.0000020815700000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek).	Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.opensource.org/licenses/mit-license.php	Payload.exe, 00000008.00000002.2546925831.0000020816AF0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2549029984.0000020817159000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/d	Payload.exe, 00000008.00000002.2542221738.0000020815078000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://refspecs.linuxfoundation.org/elf/gabi4	Payload.exe, 00000008.00000002.2543028313.00000208153C0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543530378.0000020815800000.00000004.00001000.00020000.00000000.sdmp	false		high
https://xbox.com)	Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	Payload.exe, 00000008.00000002.2545795180.0000020816400000.00000004.00001000.00020000.00000000.sdmp	false		high
https://youtube.com)	Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python-attrs/attrs/issues/136	Payload.exe, 00000008.00000002.2543636227.0000020815ADD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc3610	Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2549029984.00000208171C7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542221738.0000020815078000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curl.haxx.se/rfc/cookie_spec.html	Payload.exe, 00000008.00000002.2546049330.0000020816610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	Payload.exe, 00000008.00000002.2545795180.0000020816400000.00000004.00001000.00020000.00000000.sdmp	false		high
https://packages.debian.org/sid/iputils-arping	Payload.exe, 00000008.00000002.2546471032.0000020816860000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2546731380.00000208169B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2546351538.000002298AF80000.00000004.00001000.00020000.00000000.sdmp	false		high
https://discord.com/oauth2/authorize?client_id=	Payload.exe, 00000008.00000002.2550661006.0000020818120000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.myip.comot-info	Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://superfurrycdn.nl/copy/	Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	Payload.exe, 00000008.00000002.2540459645.0000020814370000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://crunchyroll.com)	Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python-attrs/attrs/issues/1330)	Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lz4.github.io/lz4/	Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.3	Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp	false		high
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2	Payload.exe, 00000008.00000002.2544318194.0000020815BEB000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	Payload.exe, 00000008.00000002.2544318194.0000020815B9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	Payload.exe, 00000008.00000003.1328832680.0000020812B10000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2541346923.00000208147B0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1330982188.0000020812B0B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2539508952.0000020812AAA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	Payload.exe, 00000008.00000002.2541346923.00000208147D4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1332066444.0000020814B35000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1332165732.0000020814AB4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1332200340.0000020814B35000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1332234691.0000020814AC6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	Payload.exe, 00000008.00000002.2546731380.00000208169B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2546351538.000002298AF80000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ebay.com)	Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/	Payload.exe, 00000008.00000002.2542221738.0000020814DB0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/	Payload.exe, 00000011.00000003.1537899190.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main	Payload.exe, 00000011.00000003.1537579625.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file	Payload.exe, 00000008.00000002.2567377200.00007FFB0AE9A000.00000002.00000001.01000000.00000036.sdmp	false		high
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	Payload.exe, 00000008.00000003.1334338316.0000020814EB4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334478633.0000020814EBA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334414261.000002081488C000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334519553.0000020814EDA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	Payload.exe, 00000008.00000002.2541048725.00000208145B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	Payload.exe, 00000008.00000002.2540459645.0000020814370000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://filepreviews.io/	Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.attrs.org/en/stable/why.html#data-classes)	Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536501072.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000011.00000003.1536410016.000002BE1CC63000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com/api/webhooks/	Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2551278709.0000020818870000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2542221738.0000020814DB0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://playstation.com)	Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	Payload.exe, 00000008.00000002.2542221738.0000020814F97000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543636227.0000020815A66000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/installation/	Payload.exe, 00000011.00000003.1537579625.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sellix.io)	Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://brew.sh	Payload.exe, 00000008.00000002.2543636227.0000020815A14000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/issues/417#issuecomment-392298401	Payload.exe, 00000008.00000002.2542114919.0000020814CB0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://python-lz4.readthedocs.io/en/stable/	Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wiki.debian.org/XDGBaseDirectorySpecification#state	Payload.exe, 00000008.00000002.2541346923.00000208147D4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	Payload.exe, 00000008.00000002.2542221738.0000020814DB0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/	Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	Payload.exe, 00000008.00000002.2546049330.0000020816610000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.attrs.org/en/stable/changelog.html	Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.aiohttp.org/en/stable/client_advanced.html#client-tracing	Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2545383208.0000020816078000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.variomedia.de/	Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/	Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543636227.0000020815AAA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail	Payload.exe, 00000008.00000002.2543636227.000002081597E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/jaraco/jaraco.functools/issues/5	Payload.exe, 00000008.00000002.2542922126.00000208152B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543530378.0000020815800000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/3290p2	Payload.exe, 00000008.00000002.2546049330.0000020816610000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es00	Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	Payload.exe, 00000008.00000003.1334338316.0000020814EB4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334478633.0000020814EBA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334414261.000002081488C000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1334519553.0000020814EDA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rfc-editor.org/info/rfc7253	Payload.exe, 00000008.00000002.2544318194.0000020815BEB000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2548486961.0000020817003000.00000004.00000020.00020000.00000000.sdmp	false		high
https://readthedocs.org/projects/python-lz4/	Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues	Payload.exe, 00000011.00000003.1537579625.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	Payload.exe, 00000008.00000002.2542221738.0000020814F97000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.attrs.org/	Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/lz4/lz4/blob/master/doc/lz4_Frame_format.md	Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	false		high
http://html4/loose.dtd	Payload.exe, 00000008.00000002.2570352526.00007FFB0B3F5000.00000002.00000001.01000000.0000001A.sdmp	false		high
https://mahler:8092/site-updates.py	Payload.exe, 00000008.00000002.2544318194.0000020815BEB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/	Payload.exe, 00000011.00000003.1537579625.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).	Payload.exe, 00000011.00000003.1536410016.000002BE1CC56000.00000004.00000020.00020000.00000000.sdmp	false		high
https://127.0.0.1:8443	Payload.exe, 00000008.00000002.2544318194.0000020815BEB000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544659093.0000020815E34000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.firmaprofesional.com/cps0	Payload.exe, 00000008.00000002.2541700662.0000020814A51000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2544582073.0000020815D99000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/packagingI70282	Payload.exe, 00000008.00000002.2543028313.00000208153C0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543419271.0000020815700000.00000004.00001000.00020000.00000000.sdmp	false		high
http://opensource.org/licenses/BSD-3-Clause	Payload.exe, 00000011.00000003.1542266897.000002BE1CC57000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/re.html#re.sub	Payload.exe, 00000008.00000002.2543028313.00000208153C0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000002.2543419271.0000020815700000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1341643779.00000208150F9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	Payload.exe, 00000008.00000002.2541048725.00000208145B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000008.00000003.1318729017.00000208147B5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://netflix.com)	Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2920	Payload.exe, 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1555217
Start date and time:	2024-11-13 15:44:50 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payload.exe
Detection:	MAL
Classification:	mal92.troj.adwa.evad.winEXE@28/399@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 75 Number of non-executed functions: 305
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Payload.exe

Simulations

Behavior and APIs

Time	Type	Description
09:45:58	API Interceptor	2x Sleep call for process: WMIC.exe modified
15:45:59	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	https://www.canva.com/design/DAGOCNo1NUI/fm7sxEzJIeZ3v2miLpNZCw/view?utm_content=DAGOCNo1NUI&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.26.12.205
	setup7.0.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	DHL Delivery Invoice.com.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	fefbBqMKcU.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	yh5At5T1Zs.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	scan3762399_arleen@wcctxlaw.com.pdf	Get hash	malicious	Unknown	Browse	172.67.74.152
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	104.26.13.205
	neworigin.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	104.26.13.205
	Booking_0731520.vbe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://www.calameo.com/read/007794614fc42ee64ee87	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://software.oldversion.com/download.php?f=YTo1OntzOjQ6InRpbWUiO2k6MTczMTQ4OTAwMjtzOjI6ImlkIjtpOjEzODk4O3M6NDoiZmlsZSI7czo0MzoicGRmY3JlYXRvci0xLTYtMi1QREZDcmVhdG9yLTFfNl8yX3NldHVwLmV4ZSI7czozOiJ1cmwiO3M6NTA6Imh0dHA6Ly93d3cub2xkdmVyc2lvbi5jb20vd2luZG93cy9wZGZjcmVhdG9yLTEtNi0yIjtzOjQ6InBhc3MiO3M6MzI6IjMwYzExNzY3MTEwNWY3MjhjYjA0YzU2ZjkzYTc1YTRjIjt9	Get hash	malicious	Unknown	Browse	104.16.141.209
	https://wetransfer.com/downloads/dfae2da4024c0a427ba385707deb5ffa20240620022822/9659fc	Get hash	malicious	Unknown	Browse	104.26.1.90
	https://www.canva.com/design/DAGOCNo1NUI/fm7sxEzJIeZ3v2miLpNZCw/view?utm_content=DAGOCNo1NUI&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.16.103.112
	Item-RQF-9456786.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.0.123
	https://employeeportal.net-login.com/XejZPSm40VzZYQzhLVFQyelZtNXRraW5JL01GWGVMQmM4YndubzZZNlhhUVhCYmFYbU1Oc2NUWXZqYUJRejZvVThUT1ExM0xLdnk0OGFWb0JHN3BZaWkrQmxkN3lTTXE2ZUdJT213NHJzT3FrcUFuTW5yTVFmWHFFNzVhZUJUYVRCVGlnRVhNdEtWU252WHJkVWIxNnY4VS9rbXBIMitSbytpTm1QbWdJQndQNVorKytuZCtyNTJ3PS0tdWkyYjJhRTQwOGpzMkFjMS0tY0ZER1UyOFJzUW9xeXFBMW1INXRGQT09?cid=2276287906	Get hash	malicious	KnowBe4	Browse	104.18.90.62
	Company Profile_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	https://page-speed-2950.my.salesforce-sites.com/support	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://saas-agility-1324.my.salesforce-sites.com/support	Get hash	malicious	Unknown	Browse	104.17.25.14

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_Salsa20.pyd	Creal.exe	Get hash	malicious	Creal Stealer	Browse
	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse
	https://t.ly/Oppenheim0511	Get hash	malicious	GO Backdoor	Browse
	RobCheat.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	SecuriteInfo.com.Trojan.PWS.Stealer.39881.9434.15338.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	SecuriteInfo.com.Win64.Malware-gen.32485.11504.exe	Get hash	malicious	Python Stealer, Braodo	Browse
	grA6aqodO5.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	oconsole.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_ARC4.pyd	Creal.exe	Get hash	malicious	Creal Stealer	Browse
	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse
	https://t.ly/Oppenheim0511	Get hash	malicious	GO Backdoor	Browse
	RobCheat.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	SecuriteInfo.com.Win64.Malware-gen.32485.11504.exe	Get hash	malicious	Python Stealer, Braodo	Browse
	grA6aqodO5.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	oconsole.exe	Get hash	malicious	Unknown	Browse
	oconsole.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_ARC4.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.640339306680604
Encrypted:	false
SSDEEP:	192:dLklddyTHThob0q/tJRrlDfNYSOcqgYCWt:ZgcdZq/JJD6gRWt
MD5:	BCD8CAAF9342AB891BB1D8DD45EF0098
SHA1:	EE7760BA0FF2548F25D764F000EFBB1332BE6D3E
SHA-256:	78725D2F55B7400A3FCAFECD35AF7AEB253FBC0FFCDF1903016EB0AABD1B4E50
SHA-512:	8B6FB53AECB514769985EBFDAB1B3C739024597D9C35905E04971D5422256546F7F169BF98F9BAF7D9F42A61CFF3EE7A20664989D3000773BF5EDA10CB3A0C24
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Creal.exe, Detection: malicious, Browse Filename: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: RobCheat.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Malware-gen.32485.11504.exe, Detection: malicious, Browse Filename: grA6aqodO5.exe, Detection: malicious, Browse Filename: oconsole.exe, Detection: malicious, Browse Filename: oconsole.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...Y..f.........." ................P........................................p............`..........................................'......0(..d....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata..Z.... ......................@..@.data...H....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..(....`.......*..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_Salsa20.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.0194545642425075
Encrypted:	false
SSDEEP:	192:4t/1nCuqaL0kt7AznuRmceS4lDFhAlcqgcLg:F/k1ACln4lDogcLg
MD5:	F19CB847E567A31FAB97435536C7B783
SHA1:	4C8BFE404AF28C1781740E7767619A5E2D2FF2B7
SHA-256:	1ECE1DC94471D6977DBE2CEEBA3764ADF0625E2203D6257F7C781C619D2A3DAD
SHA-512:	382DC205F703FC3E1F072F17F58E321E1A65B86BE7D9D6B07F24A02A156308A7FEC9B1A621BA1F3428FD6BB413D14AE9ECB2A2C8DD62A7659776CFFDEBB6374C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Creal.exe, Detection: malicious, Browse Filename: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: RobCheat.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PWS.Stealer.39881.9434.15338.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Malware-gen.32485.11504.exe, Detection: malicious, Browse Filename: grA6aqodO5.exe, Detection: malicious, Browse Filename: oconsole.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...Z..f.........." ................P.....................................................`..........................................8......H9..d....`.......P..L............p..(....1...............................1..8............0...............................text...h........................... ..`.rdata..r....0......................@..@.data...H....@.......,..............@....pdata..L....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_chacha20.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.037456384995606
Encrypted:	false
SSDEEP:	192:st/1nCuqaL0ktPMn1ENe3erKr5br0YbsiDw6a9lkOcqgRGd:p/kpMIodrXbsiDS95gRGd
MD5:	DC14677EA8A8C933CC41F9CCF2BEDDC1
SHA1:	A6FB87E8F3540743097A467ABE0723247FDAF469
SHA-256:	68F081E96AE08617CF111B21EDED35C1774A5EF1223DF9A161C9445A78F25C73
SHA-512:	3ABA4CFCBBE4B350AB3230D488BD75186427E3AAAF38D19E0E1C7330F16795AD77FB6E26FF39AF29EAF4F5E8C42118CB680F90AFBFCA218AEDA64DC444675BA2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...Z..f.........." ................P.....................................................`......................................... 8.......8..d....`.......P..d............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..d....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..(....p.......2..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_pkcs1_decode.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.09191874780435
Encrypted:	false
SSDEEP:	192:rMVsiXeqVb0lIb0Pj5Jdfpm68WZDInU282tacqgYLg:rM7ali0Pj5JxCaDuUlgYLg
MD5:	C09BB8A30F0F733C81C5C5A3DAD8D76D
SHA1:	46FD3BA87A32D12F4EE14601D1AD73B78EDC81D1
SHA-256:	8A1B751DB47CE7B1D3BD10BEBFFC7442BE4CFB398E96E3B1FF7FB83C88A8953D
SHA-512:	691AC74FAE930E9CEABE782567EFB99C50DD9B8AD607DD7F99A5C7DF2FA2BEB7EDFE2EBB7095A72DA0AE24E688FBABD340EAE8B646D5B8C394FEE8DDD5E60D31
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^:.6?T.6?T.6?T.?G..2?T.dJU.4?T.}GU.5?T.6?U..?T.dJQ.<?T.dJP.>?T.dJW.5?T..J\.7?T..JT.7?T..J..7?T..JV.7?T.Rich6?T.........................PE..d...X..f.........." ................P.....................................................`.........................................`8.......8..d....`.......P..(............p..(....1...............................1..8............0...............................text............................... ..`.rdata..6....0....... ..............@..@.data...x....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_aes.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	6.541423493519083
Encrypted:	false
SSDEEP:	384:f/UlZA5PUEllvxL/7v/iKBt5ByU0xGitqzSEkxGG7+tpKHb/LZ7fr52EkifcMxme:klcR7JriEbwDaS4j990th9VDBV
MD5:	0AB25F99CDAACA6B11F2ECBE8223CAD5
SHA1:	7A881B3F84EF39D97A31283DE6D7B7AE85C8BAE6
SHA-256:	6CE8A60D1AB5ADC186E23E3DE864D7ADF6BDD37E3B0C591FA910763C5C26AF60
SHA-512:	11E89EEF34398DF3B144A0303E08B3A4CAF41A9A8CA618C18135F561731F285F8CF821D81179C2C45F6EEB0E496D9DD3ECF6FF202A3C453C80AFEF8582D06C17
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...V..f.........." .....H...H......P.....................................................`.........................................p...........d...............................0......................................8............`...............................text...xG.......H.................. ..`.rdata.."6...`...8...L..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_aesni.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.367749645917753
Encrypted:	false
SSDEEP:	192:YiJBj5fq/Rk0kPLhOZ3UucCWuSKPEkA2bD9JXx03cqg5YUMLgs:/k1kTMZEjCWNaA2DTx0g5YUMLg
MD5:	B6EA675C3A35CD6400A7ECF2FB9530D1
SHA1:	0E41751AA48108D7924B0A70A86031DDE799D7D6
SHA-256:	76EF4C1759B5553550AB652B84F8E158BA8F34F29FD090393815F06A1C1DC59D
SHA-512:	E31FD33E1ED6D4DA3957320250282CFD9EB3A64F12DE4BD2DFE3410F66725164D96B27CAA34C501D1A535A5A2442D5F070650FD3014B4B92624EE00F1C3F3197
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.z.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...V..f.........." ......... ......P.....................................................`..........................................9......$:..d....`.......P...............p..(....1...............................1..8............0.. ............................text............................... ..`.rdata.......0......."..............@..@.data...8....@.......2..............@....pdata.......P.......4..............@..@.rsrc........`.......8..............@..@.reloc..(....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_arc2.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.41148259289073
Encrypted:	false
SSDEEP:	192:w3d9FkHaz0EJvrj+CYuz7ucc9dG7otDr22KcqgOiewZjW:YkHEJzj+X6769lDzagO/w
MD5:	F14E1AA2590D621BE8C10321B2C43132
SHA1:	FD84D11619DFFDF82C563E45B48F82099D9E3130
SHA-256:	FCE70B3DAFB39C6A4DB85D2D662CB9EB9C4861AA648AD7436E7F65663345D177
SHA-512:	A86B9DF163007277D26F2F732ECAB9DBCA8E860F8B5809784F46702D4CEA198824FDEF6AB98BA7DDC281E8791C10EABA002ABDA6F975323B36D5967E0443C1E4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." ....."... ......P.....................................................`.........................................pI.......J..d....p.......`..................(....B...............................B..8............@...............................text...( .......".................. ..`.rdata..<....@.......&..............@..@.data...H....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..(............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_blowfish.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20992
Entropy (8bit):	6.041302713678401
Encrypted:	false
SSDEEP:	384:kUX0JfbRz5MLZA0nmwzMDYpJgLa0Mp8NDBcxgprAM:6NbRzWXwDqgLa1uBfP
MD5:	B127CAE435AEB8A2A37D2A1BC1C27282
SHA1:	2A7BF8BF7F24B2381370BA6B41FB640EE42BDCCD
SHA-256:	538B1253B5929254ED92129FA0957DB26CDDF34A8372BA0BF19D20D01549ADA3
SHA-512:	4FE027E46D5132CA63973C67BD5394F2AC74DD4BBCFE93CB16136FAB4B6BF67BECB5A0D4CA359FF9426DA63CA81F793BBF1B79C8A9D8372C53DCB5796D17367E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." .....$...0......P.....................................................`.........................................0Y.......Y..d............p..................0....Q...............................R..8............@...............................text....".......$.................. ..`.rdata.......@... ...(..............@..@.data...H....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..0............P..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_cast.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	6.530656045206549
Encrypted:	false
SSDEEP:	384:cEDwUBi9SPu71omZXmrfXA+UA10ol31tuXVYdAgYj:FsUBXmoEXmrXA+NNxWFYfo
MD5:	2E15AA6F97ED618A3236CFA920988142
SHA1:	A9D556D54519D3E91FA19A936ED291A33C0D1141
SHA-256:	516C5EA47A7B9A166F2226ECBA79075F1A35EFFF14D87E00006B34496173BB78
SHA-512:	A6C75C4A285753CC94E45500E8DD6B6C7574FB7F610FF65667F1BEC8D8B413FC10514B7D62F196C2B8D017C308C5E19E2AEF918021FA81D0CB3D8CED37D8549A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...W..f.........." .....$...>............................................................`..........................................h.......i..d...............................0....a...............................a..8............@...............................text....#.......$.................. ..`.rdata..:-...@.......(..............@..@.data...H....p.......V..............@....pdata...............X..............@..@.rsrc................\..............@..@.reloc..0............^..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_cbc.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.7080156150187396
Encrypted:	false
SSDEEP:	192:lF/1n7Guqaj0ktfEJwX1fYwCODR3lncqg0Gd6l:RGXkJEm1feODxDg0Gd6
MD5:	40390F2113DC2A9D6CFAE7127F6BA329
SHA1:	9C886C33A20B3F76B37AA9B10A6954F3C8981772
SHA-256:	6BA9C910F755885E4D356C798A4DD32D2803EA4CFABB3D56165B3017D0491AE2
SHA-512:	617B963816838D649C212C5021D7D0C58839A85D4D33BBAF72C0EC6ECD98B609080E9E57AF06FA558FF302660619BE57CC974282826AB9F21AE0D80FBAA831A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...X..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..(....p......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_cfb.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	5.159963979391524
Encrypted:	false
SSDEEP:	192:kblRgfeqfz0RP767fB4A84DgVD6eDcqgzbkLgmf:BwRj67p84Dg6eVgzbkLgmf
MD5:	899895C0ED6830C4C9A3328CC7DF95B6
SHA1:	C02F14EBDA8B631195068266BA20E03210ABEABC
SHA-256:	18D568C7BE3E04F4E6026D12B09B1FA3FAE50FF29AC3DEAF861F3C181653E691
SHA-512:	0B4C50E40AF92BC9589668E13DF417244274F46F5A66E1FC7D1D59BC281969BA319305BECEA119385F01CC4603439E4B37AFA2CF90645425210848A02839E3E7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^..6?..6?..6?..?G..2?..dJ..4?..}G..5?..6?...?..dJ..<?..dJ..>?..dJ..5?...J..7?...J..7?...Jk.7?...J..7?..Rich6?..................PE..d...Y..f.........." ................P.....................................................`..........................................8......x9..d....`.......P..d............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......(..............@....pdata..d....P.......*..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_ctr.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.270418334522813
Encrypted:	false
SSDEEP:	192:vktJ1gifqQGRk0IP73AdXdmEEEEEm9uhiFEQayDZVMcqgnF6+6Lg:vkdU1ID3AdXd49urQPDggnUjLg
MD5:	C4C525B081F8A0927091178F5F2EE103
SHA1:	A1F17B5EA430ADE174D02ECC0B3CB79DBF619900
SHA-256:	4D86A90B2E20CDE099D6122C49A72BAE081F60EB2EEA0F76E740BE6C41DA6749
SHA-512:	7C06E3E6261427BC6E654B2B53518C7EAA5F860A47AE8E80DC3F8F0FED91E122CB2D4632188DC44123FB759749B5425F426CD1153A8F84485EF0491002B26555
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^z.6?..6?..6?..?G..2?..dJ..4?..}G..5?..6?...?..dJ..<?..dJ..>?..dJ..5?...J..7?...J..7?...J..7?...J..7?..Rich6?..........................PE..d...Y..f.........." ......... ......P.....................................................`.........................................`9.......:..d....`.......P...............p..(....1...............................1..8............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..(....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_des.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	56832
Entropy (8bit):	4.231032526864278
Encrypted:	false
SSDEEP:	384:0qcmHBeNL1dO/qHkpnYcZiGKdZHDLY84vnKAnK2rZA21agVF:fEiqHHx4vZDV
MD5:	F9E266F763175B8F6FD4154275F8E2F0
SHA1:	8BE457700D58356BC2FA7390940611709A0E5473
SHA-256:	14D2799BE604CBDC668FDE8834A896EEE69DAE0E0D43B37289FCCBA35CEF29EC
SHA-512:	EB3E37A3C3FF8A65DEF6FA20941C8672A8197A41977E35AE2DC6551B5587B84C2703758320559F2C93C0531AD5C9D0F6C36EC5037669DC5CE78EB3367D89877B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PK..1%..1%..1%..I...1%.D$..1%.I$..1%..1$..1%.D ..1%.D!..1%.D&..1%..D-..1%..D%..1%..D...1%..D'..1%.Rich.1%.........................PE..d...X..f.........." .....6...................................................0............`.................................................\...d...............l............ ..0... ...............................@...8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...H...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_des3.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.252429732285762
Encrypted:	false
SSDEEP:	384:J4cmHBeIzNweVy/CHkRnYcZiGKdZHDLq80vnKAnKBrZGsURygUX:GEO6CHnX0vZb7
MD5:	DECF524B2D53FCD7D4FA726F00B3E5FC
SHA1:	E87C6ED4004F2772B888C5B5758AA75FE99D2F6F
SHA-256:	58F7053EE70467D3384C73F299C0DFD63EEF9744D61D1980D9D2518974CA92D4
SHA-512:	EAFF4FD80843743E61CE635FBADF4E5D9CF2C3E97F3C48350BD9E755F4423AC6867F9FE8746BD5C54E1402B18E8A55AEEF7ACA098C7CF4186DC4C1235EB35DF2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PK..1%..1%..1%..I...1%.D$..1%.I$..1%..1$..1%.D ..1%.D!..1%.D&..1%..D-..1%..D%..1%..D...1%..D'..1%.Rich.1%.........................PE..d...X..f.........." .....8...................................................0............`.....................................................d............................ ..0... ...............................@...8............P...............................text...X7.......8.................. ..`.rdata......P.......<..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_ecb.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.690163963718492
Encrypted:	false
SSDEEP:	192:Yddz2KTnThIz0qfteRY4zp+D3PLui8p1cqgHCWt:k2E9RqfCXp+D3juRpLgiWt
MD5:	80BB1E0E06ACAF03A0B1D4EF30D14BE7
SHA1:	B20CAC0D2F3CD803D98A2E8A25FBF65884B0B619
SHA-256:	5D1C2C60C4E571B88F27D4AE7D22494BED57D5EC91939E5716AFA3EA7F6871F6
SHA-512:	2A13AB6715B818AD62267AB51E55CD54714AEBF21EC9EA61C2AEFD56017DC84A6B360D024F8682A2E105582B9C5FE892ECEBD2BEF8A492279B19FFD84BC83FA5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...X..f.........." ................P........................................p............`.........................................0'.......'..P....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_eksblowfish.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	6.1215844022564285
Encrypted:	false
SSDEEP:	384:nUX0JfbRwUtPMbNv37t6K5jwbDEpJgLa0Mp8xCkgJrAm:jNbRw8EbxwKBwbD+gLa1nh
MD5:	3727271FE04ECB6D5E49E936095E95BC
SHA1:	46182698689A849A8C210A8BF571D5F574C6F5B1
SHA-256:	3AF5B35DCD5A3B6C7E88CEE53F355AAFFF40F2C21DABD4DE27DBB57D1A29B63B
SHA-512:	5BED1F4DF678FE90B8E3F1B7C4F68198463E579209B079CB4A40DCAC01CE26AA2417DBE029B196F6F2C6AFAD560E2D1AF9F089ABE37EAD121CA10EE69D9659ED
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." .....(...0......P.....................................................`.........................................0Y.......Y..d............p..................0....Q...............................R..8............@...............................text...H'.......(.................. ..`.rdata.......@... ...,..............@..@.data...H....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..0............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_ocb.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.293810509074883
Encrypted:	false
SSDEEP:	384:4PHoDUntQjNB+/yw/pogeXOvXoTezczOo3p9iJgDQ3iNgnVbwhA:dUOhBcDRogeXOfoTezcio3pUJgDQ3i+
MD5:	78AEF441C9152A17DD4DC40C7CC9DF69
SHA1:	6BB6F8426AFA6522E647DFC82B1B64FAF3A9781F
SHA-256:	56E4E4B156295F1AAA22ECB5481841DE2A9EB84845A16E12A7C18C7C3B05B707
SHA-512:	27B27E77BE81B29D42359FE28531225383860BCD19A79044090C4EA58D9F98009A254BF63585979C60B3134D47B8233941ABB354A291F23C8641A4961FA33107
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...Y..f.........." .....(... ......P.....................................................`.........................................pI......lJ..d....p.......`..................(....A...............................A..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..(............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_ofb.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	4.862619033406922
Encrypted:	false
SSDEEP:	96:0Ga+F/1NtJ9t4udqaj01rlALnNNJSS2sP+YEdMN+F9FdKaWDULk+VOmWbucX6gR7:PF/1n7Guqaj0ktfEON+bMDUlJcqg0Gd
MD5:	19E0ABF76B274C12FF624A16713F4999
SHA1:	A4B370F556B925F7126BF87F70263D1705C3A0DB
SHA-256:	D9FDA05AE16C5387AB46DC728C6EDCE6A3D0A9E1ABDD7ACB8B32FC2A17BE6F13
SHA-512:	D03033EA5CF37641FBD802EBEB5019CAEF33C9A78E01519FEA88F87E773DCA92C80B74BA80429B530694DAD0BFA3F043A7104234C7C961E18D48019D90277C8E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...Y..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......$..............@....pdata..X....P.......&..............@..@.rsrc........`.......*..............@..@.reloc..(....p.......,..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_BLAKE2b.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.227045547076371
Encrypted:	false
SSDEEP:	192:saF/1n7Guqaj0ktrE8o2o+V2rQnjt1wmg9jtveDn4clG6VcqgOvgdd:swGXkFE8Zo+AojO9jZeDf5rgOvgz
MD5:	309D6F6B0DD022EBD9214F445CAC7BB9
SHA1:	ABD22690B7AD77782CFC0D2393D0C038E16070B0
SHA-256:	4FBE188C20FB578D4B66349D50AA6FFE4AB86844FB6427C57738F36780D1E2E2
SHA-512:	D1951FE92F83E7774E8E877815BED6E6216D56EF18B7F1C369D678CB6E1814243659E9FA7ABC0D22FB5B34A9D50A51D5A89BA00AE1FDD32157FD0FF9902FB4B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..@............p..(....2...............................2..8............0...............................text...x........................... ..`.rdata.......0....... ..............@..@.data...H....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_BLAKE2s.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.176369829782773
Encrypted:	false
SSDEEP:	192:rF/1n7Guqaj0ktrESsrUW+SBjsK5tcQmEreD2mf1AoxkVcqgOvgXQ:rGXkFE/UW575tA2eDp1Ao2rgOvgX
MD5:	D54FEB9A270B212B0CCB1937C660678A
SHA1:	224259E5B684C7AC8D79464E51503D302390C5C9
SHA-256:	032B83F1003A796465255D9B246050A196488BAC1260F628913E536314AFDED4
SHA-512:	29955A6569CA6D039B35BB40C56AEEB75FC765600525D0B469F72C97945970A428951BAB4AF9CD21B3161D5BBA932F853778E2674CA83B14F7ABA009FA53566F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..@............p..(....2...............................2..8............0...............................text...h........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata..@....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_MD2.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.047563322651927
Encrypted:	false
SSDEEP:	384:6alCvH32p3/2pnEhKnLg9yH8puzoFaPERIQAvHD9CIg5kP:5CvHmp3OpnEhmLg9yH8puzoFaPERIQgI
MD5:	52DCD4151A9177CF685BE4DF48EA9606
SHA1:	F444A4A5CBAE9422B408420115F0D3FF973C9705
SHA-256:	D54375DC0652358A6E4E744F1A0EAEEAD87ACCD391A20D6FF324FE14E988A122
SHA-512:	64C54B89F2637759309ECC6655831C3A6755924ED70CBC51614061542EB9BA9A8AECF6951EB3AB92447247DC4D7D846C88F4957DBBE4484A9AB934343EE27178
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...Q..f.........." ......... ......P.....................................................`.........................................@9.......9..d....`.......P..(............p..(....2...............................2..8............0...............................text...X........................... ..`.rdata..@....0......................@..@.data...x....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_MD4.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.09893680790018
Encrypted:	false
SSDEEP:	192:xsiXeqVb0lwbH4P01sAD7I/9hAkwDWzBEbcqgqLg:valqH4M1sAD7KvpwDFtgqLg
MD5:	F929B1A3997427191E07CF52AC883054
SHA1:	C5EA5B68586C2FB09E5FDD20D4DD616D06F5CBA6
SHA-256:	5386908173074FABD95BF269A9DF0A4E1B21C0576923186F449ABF4A820F6A8E
SHA-512:	2C79DBCE2C21214D979AB86DD989D41A3AFA7FCB7F3B79BA9974E2EE8F832DD7CA20C1C87C0C380DB037D776FE6D0851D60AD55A08AFDE0003B7E59214DD2F3B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ................P.....................................................`.........................................08.......8..d....`.......P..(............p..(....1...............................2..8............0...............................text............................... ..`.rdata..0....0......................@..@.data........@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_MD5.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.451865349855574
Encrypted:	false
SSDEEP:	384:KfwogDHER1wuiDSyoGTgDZOviNgEPrLg:ugDHELwuiDScTgDwi+EP
MD5:	1FA5E257A85D16E916E9C22984412871
SHA1:	1AC8EE98AD0A715A1B40AD25D2E8007CDC19871F
SHA-256:	D87A9B7CAD4C451D916B399B19298DC46AAACC085833C0793092641C00334B8E
SHA-512:	E4205355B647C6E28B7E4722328F51DC2EB3A109E9D9B90F7C53D7A80A5A4B10E40ABDDAB1BA151E73EF3EB56941F843535663F42DCE264830E6E17BB659EADF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ..... ..........P.....................................................`..........................................8......`9..d....`.......P..X............p..(....1...............................1..8............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..(....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_RIPEMD160.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.104245335186531
Encrypted:	false
SSDEEP:	192:3F/1n7Guqaj0kt7/Ev9kt0Qwac6QzD8iD0QocqgI4G0S:nGXkd/EvGt9wacNDvAgI4v
MD5:	FAD578A026F280C1AE6F787B1FA30129
SHA1:	9A3E93818A104314E172A304C3D117B6A66BEB55
SHA-256:	74A1FF0801F4704158684267CD8E123F83FB6334FE522C1890AC4A0926F80AB1
SHA-512:	ACF8F5B382F3B4C07386505BBDCAF625D13BCC10AA93ED641833E3548261B0AD1063E2F59BE2FCD2AFAF3D315CB3FC5EB629CEFC168B33CFD65A3A6F1120F7FF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ......... ......P.....................................................`..........................................9.......:..d....`.......P...............p..(...@3..............................`3..8............0...............................text...H........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata.......P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA1.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.671305741258107
Encrypted:	false
SSDEEP:	384:APHoDUntQj0sKhDOJ+0QPSfu6rofDjiZzgE+kbwb:VUOYsKNO466DjoUE+
MD5:	556E6D0E5F8E4DA74C2780481105D543
SHA1:	7A49CDEF738E9FE9CD6CD62B0F74EAD1A1774A33
SHA-256:	247B0885CF83375211861F37B6DD1376AED5131D621EE0137A60FE7910E40F8B
SHA-512:	28FA0CE6BDBCC5E95B80AADC284C12658EF0C2BE63421AF5627776A55050EE0EA0345E30A15B744FC2B2F5B1B1BBB61E4881F27F6E3E863EBAAEED1073F4CDA1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h..9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ...............P.....................................................`..........................................H......hI..d....p.......`..X...............(....A...............................A..8............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........P.......<..............@....pdata..X....`.......>..............@..@.rsrc........p.......B..............@..@.reloc..(............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA224.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.878701941774916
Encrypted:	false
SSDEEP:	384:EJWo4IRCGHX1KXqHGcvYHp5RYcARQOj4MSTjqgPmJD1OhgkxEv:EcIRnHX1P/YtswvaD1Rk
MD5:	2F2655A7BBFE08D43013EDDA27E77904
SHA1:	33D51B6C423E094BE3E34E5621E175329A0C0914
SHA-256:	C734ABBD95EC120CB315C43021C0E1EB1BF2295AF9F1C24587334C3FCE4A5BE1
SHA-512:	8AF99ACC969B0E560022F75A0CDCAA85D0BDEADADEACD59DD0C4500F94A5843EA0D4107789C1A613181B1F4E5252134A485EF6B1D9D83CDB5676C5FEE4D49B90
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...S..f.........." .....6... ......P.....................................................`.........................................@Z......([..d............p..................(....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..x....P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..(............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA256.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.881781476285865
Encrypted:	false
SSDEEP:	384:EJWo4IRCGHXfKXqHGcvYHp5RYcARQOj4MSTjqgPmJD12gkxEv:EcIRnHXfP/YtswvaD1zk
MD5:	CDE035B8AB3D046B1CE37EEE7EE91FA0
SHA1:	4298B62ED67C8D4F731D1B33E68D7DC9A58487FF
SHA-256:	16BEA322D994A553B293A724B57293D57DA62BC7EAF41F287956B306C13FD972
SHA-512:	C44FDEE5A210459CE4557351E56B2D357FD4937F8EC8EACEAB842FEE29761F66C2262FCBAAC837F39C859C67FA0E23D13E0F60B3AE59BE29EB9D8ABAB0A572BB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...S..f.........." .....6... ......P.....................................................`.........................................@Z......([..d............p..................(....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..x....P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..(............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA384.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.837887867708438
Encrypted:	false
SSDEEP:	768:e839Cc4itui0gel9soFdkO66MlPGXmXcyYDTzks:Ns4u/FZ6nPxMLDvk
MD5:	999D431197D7E06A30E0810F1F910B9A
SHA1:	9BFF781221BCFFD8E55485A08627EC2A37363C96
SHA-256:	AB242B9C9FB662C6F7CB57F7648F33983D6FA3BB0683C5D4329EC2CC51E8C875
SHA-512:	A5DD92DD471ADB44EEFE5919EF9CA3978724E21174DF5B3A9C1F0AB462F928E5A46A460D02417DB7522F5DE3BFEED5EEE6B1EAFAF3E621722E85E72675F7096F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...T..f.........." .....H..."......P.....................................................`..........................................k.......l..d...............................(...pd...............................d..8............`...............................text....F.......H.................. ..`.rdata.......`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_SHA512.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.895310340516013
Encrypted:	false
SSDEEP:	768:lcX9Nf4ttui0gel9soFdkO66MlPGXmXc/vDTOvk:a38u/FZ6nPxM3DAk
MD5:	0931ABBF3AED459B1A2138B551B1D3BB
SHA1:	9EC0296DDAF574A89766A2EC035FC30073863AB0
SHA-256:	1729A0DC6B80CB7A3C07372B98B10D3C6C613EA645240878E1FDE6A992FA06F1
SHA-512:	9F970BB4D10B94F525DDDDE307C7DA5E672BBFB3A3866A34B89B56ADA99476724FD690A4396857182749294F67F36DB471A048789FB715D2A7DAF46917FC1947
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...T..f.........." .....H..."......P.....................................................`.........................................@l......(m..d...............................(....d...............................e..8............`...............................text...hG.......H.................. ..`.rdata..x....`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_ghash_clmul.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.967737129255606
Encrypted:	false
SSDEEP:	192:dMpWt/1nCuqaL0kt7TsEx2fiTgDZqGF0T7cqgkLgJ:k/k1Ts64DDJyBgkLg
MD5:	5F057A380BACBA4EF59C0611549C0E02
SHA1:	4B758D18372D71F0AA38075F073722A55B897F71
SHA-256:	BCB14DAC6C87C24269D3E60C46B49EFFB1360F714C353318F5BBAA48C79EC290
SHA-512:	E1C99E224745B86EE55822C1DBCB4555A11EC31B72D87B46514917EB61E0258A1C6D38C4F592969C17EB4F0F74DA04BCECA31CF1622720E95F0F20E9631792E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...V..f.........." ................P.....................................................`.........................................P8.......8..d....`.......P...............p..(....1...............................1..8............0...............................text............................... ..`.rdata..2....0......................@..@.data...H....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_ghash_portable.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.007867576025166
Encrypted:	false
SSDEEP:	192:bMt/1nCuqaL0ktPH0T7fwtF4zDn2rGacqgRGd:1/kpU3Yv4zDXqgRGd
MD5:	49BCA1B7DF076D1A550EE1B7ED3BD997
SHA1:	47609C7102F5B1BCA16C6BAD4AE22CE0B8AEE9E9
SHA-256:	49E15461DCB76690139E71E9359F7FCF92269DCCA78E3BFE9ACB90C6271080B2
SHA-512:	8574D7FA133B72A4A8D1D7D9FDB61053BC88C2D238B7AC7D519BE19972B658C44EA1DE433885E3206927C75DD5D1028F74999E048AB73189585B87630F865466
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...V..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..(....p.......2..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_keccak.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.226023387740053
Encrypted:	false
SSDEEP:	384:rfRKTN+HLjRskTdf4WazSTkwjEvuY2bylHDiYIgovg:mcHfRl5pauoSjy5DiE
MD5:	CB5CFDD4241060E99118DEEC6C931CCC
SHA1:	1E7FED96CF26C9F4730A4621CA9D18CECE3E0BCE
SHA-256:	A8F809B6A417AF99B75EEEEA3ECD16BDA153CBDA4FFAB6E35CE1E8C884D899C4
SHA-512:	8A89E3563C14B81353D251F9F019D8CBF07CB98F78452B8522413C7478A0D77B9ABF2134E4438145D6363CDA39721D2BAE8AD13D1CDACCBB5026619D95F931CF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...U..f.........." ..... ... ......P.....................................................`..........................................9.......9..d....`.......P..X............p..(...p2...............................2..8............0...............................text............ .................. ..`.rdata..@....0.......$..............@..@.data........@.......4..............@....pdata..X....P.......6..............@..@.rsrc........`.......:..............@..@.reloc..(....p.......<..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Hash\_poly1305.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.262055670423592
Encrypted:	false
SSDEEP:	192:C/ZN2eq/b04PAHH41F6fnVS0sVn+5CA5Z1cD66WGcqgFjLg:vI4IHHaQfSVnCZyDImgFjLg
MD5:	18D2D96980802189B23893820714DA90
SHA1:	5DEE494D25EB79038CBC2803163E2EF69E68274C
SHA-256:	C2FD98C677436260ACB9147766258CB99780A007114AED37C87893DF1CF1A717
SHA-512:	0317B65D8F292332C5457A6B15A77548BE5B2705F34BB8F4415046E3E778580ABD17B233E6CC2755C991247E0E65B27B5634465646715657B246483817CACEB7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...V..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..\|............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......."..............@..@.data........@.......0..............@....pdata..\|....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..(....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Math\_modexp.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.913843738203007
Encrypted:	false
SSDEEP:	384:dspbXtHQY4ubrttQza9CHnZXQsnecAlOF0qZLAXxQI3Sya6XPpMg3Yx8MnDcCPSq:7Y44UagH6cAFCLUSYpMg3YDzPo5kG9G
MD5:	EF472BA63FD22922CA704B1E7B95A29E
SHA1:	700B68E7EF95514D5E94D3C6B10884E1E187ACD8
SHA-256:	66EEF4E6E0CEEEF2C23A758BFBEDAE7C16282FC93D0A56ACAFC40E871AC3F01C
SHA-512:	DC2060531C4153C43ABF30843BCB5F8FA082345CA1BB57F9AC8695EDDB28FF9FDA8132B6B6C67260F779D95FCADCAE2811091BCA300AB1E041FAE6CC7B50ABD8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...^..f.........." .....`...0......`.....................................................`..........................................~..\|...L...d...............<...............(....q...............................q..8............p..(............................text...X^.......`.................. ..`.rdata.......p.......d..............@..@.data................x..............@....pdata..<...........................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Protocol\_scrypt.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.735350805948923
Encrypted:	false
SSDEEP:	192:rhsC3eqv6b0q3OQ3rHu5bc64OhD2I/p3cqgONLg:r/Hq3jHuY64OhDJJgONLg
MD5:	3B1CE70B0193B02C437678F13A335932
SHA1:	063BFD5A32441ED883409AAD17285CE405977D1F
SHA-256:	EB2950B6A2185E87C5318B55132DFE5774A5A579259AB50A7935A7FB143EA7B1
SHA-512:	0E02187F17DFCFD323F2F0E62FBFE35F326DCF9F119FC8B15066AFAEEE4EB7078184BC85D571B555E9E67A2DD909EC12D8A67E3D075E9B1283813EF274E05C0D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^:.6?T.6?T.6?T.?G..2?T.dJU.4?T.}GU.5?T.6?U..?T.dJQ.<?T.dJP.>?T.dJW.5?T..J\.7?T..JT.7?T..J..7?T..JV.7?T.Rich6?T.........................PE..d...Z..f.........." ................P.....................................................`..........................................8..d....8..d....`.......P..4............p..(....1...............................1..8............0...............................text...H........................... ..`.rdata..0....0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..(....p......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_curve25519.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	5.705606408072877
Encrypted:	false
SSDEEP:	384:19BcRxBmau38CYIl9bhgIW0mvufueNr359/tjGGDEFSegqrA:NcRy38J+9dmvufFtaGDV
MD5:	FF33C306434DEC51D39C7BF1663E25DA
SHA1:	665FCF47501F1481534597C1EAC2A52886EF0526
SHA-256:	D0E3B6A2D0E073B2D9F0FCDB051727007943A17A4CA966D75EBA37BECDBA6152
SHA-512:	66A909DC9C3B7BD4050AA507CD89B0B3A661C85D33C881522EC9568744953B698722C1CBFF093F9CBCD6119BD527FECAB05A67F2E32EC479BE47AFFA4377362C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...\..f.........." .....6...$......P.....................................................`.........................................`Y......`Z..d............p..................(....R..............................0R..8............P...............................text...(5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......P..............@..@.rsrc................T..............@..@.reloc..(............V..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_curve448.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	6.0189903352673655
Encrypted:	false
SSDEEP:	1536:Jfju4GgRMgWWnEDZiECgd/iwOXUQdbhov0Clb8Cx4hpK8ithLFIDullRPwDHxXOa:pXRMgWiEDZiECgd/iwOXUQdbhov0ClbU
MD5:	F267BF4256F4105DAD0D3E59023011ED
SHA1:	9BC6CA0F375CE49D5787C909D290C07302F58DA6
SHA-256:	1DDE8BE64164FF96B2BAB88291042EB39197D118422BEE56EB2846E7A2D2F010
SHA-512:	A335AF4DBF1658556ED5DC13EE741419446F7DAEC6BD2688B626A803FA5DD76463D6367C224E0B79B17193735E2C74BA417C26822DAEEF05AC3BAB1588E2DE83
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...\..f.........." .........8......`........................................P............`.............................................0.......d....0....... ..$............@..(.......................................8............................................text...8........................... ..`.rdata..............................@..@.data...............................@....pdata..$.... ......................@..@.rsrc........0......................@..@.reloc..(....@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_ec_ws.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	770560
Entropy (8bit):	7.613224993327352
Encrypted:	false
SSDEEP:	12288:XtIrHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h:XtIrHoxJFf1p34hcrn5Go9yQO6
MD5:	1EFD7F7CB1C277416011DE6F09C355AF
SHA1:	C0F97652AC2703C325AB9F20826A6F84C63532F2
SHA-256:	AB45FA80A68DB1635D41DC1A4AAD980E6716DAC8C1778CB5F30CDB013B7DF6E6
SHA-512:	2EC4B88A1957733043BBD63CEAA6F5643D446DB607B3267FAD1EC611E6B0AF697056598AAC2AE5D44AB2B9396811D183C32BCE5A0FF34E583193A417D1C5226B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.. .. .. ... .. ..!.. ..!.. .. .. ..!.. ..!.. ..!.. \..!.. \..!.. \.r .. \..!.. Rich.. ................PE..d...[..f.........." ................`.....................................................`.............................................h.......d...............................0......................................8...............(............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_ed25519.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26112
Entropy (8bit):	5.8551858881598795
Encrypted:	false
SSDEEP:	384:BczadRwoF2MZ81n0XTyMCYIl9bhgIW0mv8aeadRcwRwftjGLD2pRQNgQQ77k:2udRf2MuMJ+9dmv8aea34taLDcfQ
MD5:	C5FB377F736ED731B5578F57BB765F7A
SHA1:	5BA51E11F4DE1CAEDEBA0F7D4D10EC62EC109E01
SHA-256:	32073DF3D5C85ABCE7D370D6E341EF163A8350F6A9EDC775C39A23856CCFDD53
SHA-512:	D361BCDAF2C700D5A4AC956D96E00961432C05A1B692FC870DB53A90F233A6D24AA0C3BE99E40BD8E5B7C6C1B2BCDCDCFC545292EF321486FFC71C5EA7203E6A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...]..f.........." .....B...&......P.....................................................`..........................................i..0....k..d...............................(... b..............................@b..8............`...............................text....A.......B.................. ..`.rdata..P....`.......F..............@..@.data........p.......V..............@....pdata...............^..............@..@.rsrc................b..............@..@.reloc..(............d..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\PublicKey\_ed448.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84992
Entropy (8bit):	6.064677498000638
Encrypted:	false
SSDEEP:	1536:BrYNvxcZeLrIeNs2qkTwe57DsuP45PqAqVDK9agdUiwOXyQdDrov0slb8gx4TBKW:Br4vxcZeLrIeN1TvHsuP45yAqVDK9ag3
MD5:	8A0C0AA820E98E83AC9B665A9FD19EAF
SHA1:	6BF5A14E94D81A55A164339F60927D5BF1BAD5C4
SHA-256:	4EE3D122DCFFE78E6E7E76EE04C38D3DC6A066E522EE9F7AF34A09649A3628B1
SHA-512:	52496AE7439458DEDB58A65DF9FFDCC3A7F31FC36FE7202FB43570F9BB03ABC0565F5EF32E5E6C048ED3EBC33018C19712E58FF43806119B2FB5918612299E7E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...^..f.........." .........8......`.....................................................`..........................................C..h...HE..d....p.......`..l...............(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata..l....`.......>..............@..@.rsrc........p.......H..............@..@.reloc..(............J..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Util\_cpuid_c.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.675380950473425
Encrypted:	false
SSDEEP:	96:frQRpBddzAvzrqTOy/ThIz014mlxuLnkC75JiSBhsPeSztllIDpqf4AZaRcX6gnO:Qddz2KTnThIz0qfteRIDgRWcqgnCWt
MD5:	44B930B89CE905DB4716A548C3DB8DEE
SHA1:	948CBFF12A243C8D17A7ACD3C632EE232DF0F0ED
SHA-256:	921C2D55179C0968535B20E9FD7AF55AD29F4CE4CF87A90FE258C257E2673AA5
SHA-512:	79DF755BE8B01D576557A4CB3F3200E5EE1EDE21809047ABB9FF8D578C535AC1EA0277EDA97109839A7607AF043019F2C297E767441C7E11F81FDC87FD1B6EFC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...X..f.........." ................P........................................p............`.........................................@'..\|....'..P....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Util\_strxor.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.625428549874022
Encrypted:	false
SSDEEP:	96:flipBddzAvzrqTOy/ThIz014mlxuLnkC75JiSBhsPeSzteXuDVZqYNIfcX6gHCWx:Cddz2KTnThIz0qfteR5DVwYkcqgHCWt
MD5:	F24F9356A6BDD29B9EF67509A8BC3A96
SHA1:	A26946E938304B4E993872C6721EB8CC1DCBE43B
SHA-256:	034BB8EFE3068763D32C404C178BD88099192C707A36F5351F7FDB63249C7F81
SHA-512:	C4D3F92D7558BE1A714388C72F5992165DD7A9E1B4FA83B882536030542D93FDAD9148C981F76FFF7868192B301AC9256EDB8C3D5CE5A1A2ACAC183F96C1028B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...Z..f.........." ................P........................................p............`......................................... '..t....'..P....P.......@...............`..(....!...............................!..8............ ...............................text...h........................... ..`.rdata..`.... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_ARC4.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.704418348721006
Encrypted:	false
SSDEEP:	96:nDzsc9VD9daQ2iTrqT+6Zdp/Q0I1uLfcC75JiC4Rs89EcYyGDj90OcX6gY/7ECFV:Dzs69damqTrpYTst0E5DjPcqgY/79X
MD5:	85F144F57905F68ECBF14552BAB2F070
SHA1:	83A20193E6229EA09DCCAE8890A74DBDD0A76373
SHA-256:	28696C8881D9C9272DE4E54ABE6760CD4C6CB22AD7E3FEABAF6FF313EC9A9EAF
SHA-512:	533EB4073594BFE97850DFF7353439BACD4E19539E247EE00D599F3468E162D2D88C5CA32322772538A73706DF9A6DD14553B35F47C686D2E20D915FAB766BDA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d...O..e.........." ...%............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_Salsa20.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.968532257508093
Encrypted:	false
SSDEEP:	96:JF3rugNlF/1Nt5aSd4+1ijg0NLfFNJSCqsstXHTeH5ht47qMbxbfDq4wYH/kcX6G:tF/1nb2mhQtkXHTeZ87VDqyMcqgYvEp
MD5:	14A20ED2868F5B3D7DCFEF9363CB1F32
SHA1:	C1F2EF94439F42AA39DCDE1075DEFAC8A6029DC6
SHA-256:	A072631CD1757D5147B5E403D6A96EF94217568D1DC1AE5C67A1892FBF61409E
SHA-512:	33BE8B3733380C3ADFE5D2844819C754FB11FCBC7AA75DA8FBB4D6CEF938E7D3267FBD215B9666DCFA5795D54484360A61DAF193BC75B57C252D44E5F9F0D855
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...P..e.........." ...%............P.....................................................`..........................................8......x9..d....`.......P..L............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..L....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_chacha20.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.061520684813544
Encrypted:	false
SSDEEP:	192:cdF/1nb2mhQtkXn0t/WS60YYDEbqvdvGyv9lkVcqgYvEMo:e2f6XSZ6XYD5vdvGyv9MgYvEMo
MD5:	E2AB7EECFD020CFDEBA6DD3ADD732EB7
SHA1:	26975087F7AC8001830CAD4151003DBCABF82126
SHA-256:	85BCF0FD811ADE1396E3A93EEEF6BC6B88D5555498BA09C164FAA3092DACDEFF
SHA-512:	EB45126A07128E0FA8DC2B687F833BA95BB8703D7BC06E5C34F828EAEF062CFCA56D8A51A73B20DFA771595F6C6D830B659B5C0EB62467C61E95C97C4A73398D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...P..e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..d............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_pkcs1_decode.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.236611028290556
Encrypted:	false
SSDEEP:	192:osiHXqpoUol3xZhRyQX5lDnRDFFav+tcqgRvE:K6D+XBDfDgRvE
MD5:	7FA5B1642D52FABFE1D3EBD1080056D4
SHA1:	56B9E87D613EE9A8B6B71A93ED5FA1603886139A
SHA-256:	88C7EC96B9E1D168005B3A8727AAA7F76B4B2985083ED7A9FB0A2AB02446E963
SHA-512:	9E0BF47060A2B7AC8FFD2CB8B845D44013C068BFE74926A67496D79BCB513506625BDA1DDF18ECE7777D1379F036506F19457D0A43FA618A8F75664C47798E64
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...........R......U.....R............U......U......U................}.........Rich...........................PE..d...N..e.........." ...%............P.....................................................`..........................................9.......9..d....`.......P..\|............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@.......,..............@....pdata..\|....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_aes.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	6.558039926510444
Encrypted:	false
SSDEEP:	384:Dz5P+7nYpPMedFDlDchrVX1mEVmT9ZgkoD/PKDkGuF0U390QOo8VdbKBWmuTLg46:DzdqWB7YJlmLJ3oD/S4j990th9VTsC
MD5:	E63FC8375E1D8C47FBB84733F38A9552
SHA1:	995C32515AA183DA58F970CEDC6667FAE166615A
SHA-256:	F47F9C559A9C642DA443896B5CD24DE74FED713BDF6A9CD0D20F5217E4124540
SHA-512:	4213189F619E7AA71934033CABA401FE93801B334BA8D8EAFEDA89F19B13224C516E4BB4F4F93F6AE2C21CD8F5586D3FFAC3D16CB1242183B9302A1F408F6F6A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d...L..e.........." ...%.H...H......P.....................................................`.................................................,...d...............................4... ...................................@............`...............................text....F.......H.................. ..`.rdata..d6...`...8...L..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_aesni.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.285246086368036
Encrypted:	false
SSDEEP:	192:jJBjJHEkEPYi3Xd+dc26E4++yuqAyXW9wifD4mqccqgwYUMvEW:ZkRwi3wO26Ef+yuIm9PfDewgwYUMvE
MD5:	A914F3D22DA22F099CB0FBFBBB75DDBF
SHA1:	2834AEB657CA301D722D6D4D1672239C83BE97E3
SHA-256:	4B4DBF841EC939EF9CC4B4F1B1BA436941A3F2AF2F4E34F82C568DFC09BA0358
SHA-512:	15BF5FCE53FB2C524054D02C2E48E3DDC4EAC0C1F73325D58B04DFE17259C208FFAC0A7C634FBC2CF1A08E7F28C1FD456061BA0838F4316EB37514E1E8D4C95F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........TX..:...:...:.....:..;...:...;...:...;...:..?...:..>...:..9...:..R2...:..R:...:..R....:..R8...:.Rich..:.................PE..d...L..e.........." ...%. ... ......P.....................................................`..........................................9......D:..d....`.......P...............p..,....3...............................1..@............0.. ............................text...h........ .................. ..`.rdata.......0.......$..............@..@.data...(....@.......4..............@....pdata.......P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_arc2.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.505232918566824
Encrypted:	false
SSDEEP:	192:9d9VkyQ5f8vjVaCHpKpTTjaNe7oca2DWZQ2dhmdcqgwNeecBih:rkP5cjIGpKlqD2DakzgwNeE
MD5:	9F1A2A9D731E7755EE93C82C91FA5FE2
SHA1:	41085FBE84E1B98A795871033034FA1F186274EF
SHA-256:	17F3EAF463868B015583BD611BE5251E36AAB616522FF4072011B3D72F6F552F
SHA-512:	7E29D4729837D87AEF34CFA7B1F86DFBB81907CD11FC575C4ED1B8A956409492315BFA76ADE4D7C51E51E37E5D098A7F4FEE4C58D86D0E6245A4AA0D392D488A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...L..e.........." ...%."... ......P.....................................................`.........................................0J.......J..d....p.......`..................,....C...............................B..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...8....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_blowfish.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20992
Entropy (8bit):	6.061115794354147
Encrypted:	false
SSDEEP:	384:pUv5cJMOZA0nmwBD+XpJgLa0Mp8QHg4P2llyM:GK1XBD+DgLa1gTi
MD5:	883DE82B3B17F95735F579E78A19D509
SHA1:	3EC7259ACA3730B2A6F4E1CA5121DB4AB41C619E
SHA-256:	67FF6C8BBDC9E33B027D53A26DF39BA2A2AD630ACCE1BAC0B0583CA31ADF914F
SHA-512:	602915EAA0933F5D1A26ECC1C32A8367D329B12794CBF2E435B1704E548858E64710AB52BC6FC14FC98DF0B8EEBDE2B32A35BCF935079CC8E2412C07DF5303FD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...L..e.........." ...%.$...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text....".......$.................. ..`.rdata..L....@... ...(..............@..@.data...8....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..4............P..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_cast.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25088
Entropy (8bit):	6.475398255636883
Encrypted:	false
SSDEEP:	384:Zc6HLZiMDFuGu+XHZXmrfXA+UA10ol31tuXy7IYgLWi:q6H1TZXX5XmrXA+NNxWi0dLWi
MD5:	0AC22DA9F0B2F84DE9D2B50D457020C1
SHA1:	682E316AE958121D0E704CAB0F78CCAD42C77573
SHA-256:	480C79C713AD15328E9EB9F064B90BCDCB5AAD149236679F97B61218F6D2D200
SHA-512:	11C04D55C5E73583D658E0918BD5A37C7585837A6E0F3C78AEF10A5D7A5C848B0620028177A9D9B0AD5DB882B2A26624F92BEFC9BC8F8A23C002723E50DD80A5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...M..e.........." ...%.$...@............................................................`.........................................@i.......i..d...............................4....b...............................a..@............@...............................text....#.......$.................. ..`.rdata.......@...0...(..............@..@.data...8....p.......X..............@....pdata...............Z..............@..@.rsrc................^..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_cbc.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.839420412830416
Encrypted:	false
SSDEEP:	192:CF/1nb2mhQtkr+juOxKbDbRHcqgYvEkrK:42f6iuOsbDXgYvEmK
MD5:	6840F030DF557B08363C3E96F5DF3387
SHA1:	793A8BA0A7BDB5B7E510FC9A9DDE62B795F369AE
SHA-256:	B7160ED222D56925E5B2E247F0070D5D997701E8E239EC7F80BCE21D14FA5816
SHA-512:	EDF5A4D5A3BFB82CC140CE6CE6E9DF3C8ED495603DCF9C0D754F92F265F2DCE6A83F244E0087309B42930D040BF55E66F34504DC1C482A274AD8262AA37D1467
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...N..e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_cfb.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	4.905258571193623
Encrypted:	false
SSDEEP:	192:fRgPX8lvI+KnwSDTPUDEnKWPXcqgzQkvEd:4og9rUD/mpgzQkvE
MD5:	7256877DD2B76D8C6D6910808222ACD8
SHA1:	C6468DB06C4243CE398BEB83422858B3FED76E99
SHA-256:	DBF703293CFF0446DFD15BBAEDA52FB044F56A353DDA3BECA9AADD8A959C5798
SHA-512:	A14D460D96845984F052A8509E8FC44439B616EEAE46486DF20F21CCAA8CFB1E55F1E4FA2F11A7B6AB0A481DE62636CEF19EB5BEF2591FE83D415D67EB605B8E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K............RQ.....U.....R............U......U......U..................=..........Rich...................PE..d...N..e.........." ...%..... ......P.....................................................`..........................................9.......9..d....`.......P..d............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_ctr.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.300728193650235
Encrypted:	false
SSDEEP:	192:jGYJ1gSHxKkwv0i8XSi3Sm57NEEE/qexUEtDr6krRcqgUF6+6vEX:jR01si8XSi3SACqe7tDlDgUUjvE
MD5:	B063D73E5AA501060C303CAFBC72DAD3
SHA1:	8C1CA04A8ED34252EB233C993DDBA17803E0B81E
SHA-256:	98BACA99834DE65FC29EFA930CD9DBA8DA233B4CFDFC4AB792E1871649B2FE5C
SHA-512:	8C9AD249F624BDF52A3C789C32532A51D3CC355646BD725553A738C4491EA483857032FB20C71FD3698D7F68294E3C35816421DFF263D284019A9A4774C3AF05
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K,..B..B..B..R...B..UC..B.RC..B..C..B..UG..B..UF..B..UA..B..J..B..B..B....B..@..B.Rich.B.........................PE..d...O..e.........." ...%..... ......P.....................................................`..........................................9......x:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_des.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57856
Entropy (8bit):	4.260136375669177
Encrypted:	false
SSDEEP:	384:9RUqVT1dZ/GHkJnYcZiGKdZHDLtiduprZvZY0JAIg+v:9rHGHfJidIK
MD5:	3AEA5302F7F03EDEFF49D1C119C61693
SHA1:	DBDDE1C10B253744153FC1F47C078AAACCF3F3A6
SHA-256:	E5DDA67D4DF47B7F00FF17BE6541CA80BDB4B60E1F6FD1A7D7F115DDF7683EE5
SHA-512:	DD42C24EDAF7E1B25A51BC8C96447496B3289C612C395CA7BD8BF60A162229C2E0CA0432CDDF1CB2D65D80189DB02BEE42FFD0E7DD9E5FC19278CA3FD593AB2C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d...M..e.........." ...%.8...................................................0............`.....................................................d...............l............ ..4...................................@...@............P...............................text....7.......8.................. ..`.rdata..f....P.......<..............@..@.data...8...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_des3.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58368
Entropy (8bit):	4.276947153784193
Encrypted:	false
SSDEEP:	384:98Uqho9weF5/eHkRnYcZiGKdZHDL7idErZ8ZYXGg:9gCneH//idv2
MD5:	BA5BA714AEBFD8130EB6E0983FBAE20B
SHA1:	3309C26A9083EC3AD982DD3D6630FCC16465F251
SHA-256:	861167DFEB390261E538D635EAD213E81C1166D8D85A496774FBF2EBFF5A4332
SHA-512:	309CC3FD8DB62517AE70B404C5ACD01052F10582A17123135CD1A28D3A74AB28F90A8E7ED7D2061A4B6C082F85E98DA822D43986FC99367B288A72BA9F8B5569
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d...N..e.........." ...%.:...................................................0............`.................................................P...d............................ ..4...................................@...@............P...............................text...x9.......:.................. ..`.rdata.......P.......>..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_ecb.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.579354442149926
Encrypted:	false
SSDEEP:	96:j0qVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EpmFWLOXDwoYPj15XkcX6gbW6z:pVddiT7pgTctEEI4qXDe11kcqgbW6
MD5:	1C74E15EC55BD8767968024D76705EFC
SHA1:	C590D1384D2207B3AF01A46A5B4F7A2AE6BCAD93
SHA-256:	0E3EC56A1F3C86BE1CAA503E5B89567AA91FD3D6DA5AD4E4DE4098F21270D86B
SHA-512:	E96CA56490FCE7E169CC0AB803975BAA8B5ACB8BBAB5047755AE2EEAE177CD4B852C0620CD77BCFBC81AD18BB749DEC65D243D1925288B628F155E8FACDC3540
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d...N..e.........." ...%............P........................................p............`.........................................p'......((..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_eksblowfish.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	6.143744403797058
Encrypted:	false
SSDEEP:	384:7Uv5cRUtPQtjLJiKMjNrDF6pJgLa0Mp8Qy0gYP2lXCM:UKR8I+K0lDFQgLa1WzU
MD5:	E7826C066423284539BD1F1E99BA0CC6
SHA1:	DA7372EEB180C2E9A6662514A8FA6261E04AC6DC
SHA-256:	0E18B7C2686BB954A8EE310DD5FDB76D00AC078A12D883028BFFC336E8606DA2
SHA-512:	55F8B00B54F3C3E80803D5A3611D5301E29A2C6AF6E2CAA36249AEBA1D4FCC5A068875B34D65106C137F0455F11B20226B48EEF687F5EA73DFEA3C852BF07050
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...M..e.........." ...%.(...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text...X'.......(.................. ..`.rdata..T....@... ...,..............@..@.data...8....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_ocb.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.353670931504009
Encrypted:	false
SSDEEP:	384:tPHNP3Mj7Be/yB/6sB3yxcb+IMcOYqQViCBD8Ng6Vf4A:DPcnB8KSsB34cb+bcOYpMCBDB
MD5:	D5DB7192A65D096433F5F3608E5AD922
SHA1:	22AD6B635226C8F6B94F85E4FBFB6F8C18B613C8
SHA-256:	FAB286E26160820167D427A4AAB14BE4C23883C543E2B0C353F931C89CEA3638
SHA-512:	5503E83D68D144A6D182DCC5E8401DD81C1C98B04B5ED24223C77D94B0D4F2DD1DD05AED94B9D619D30D2FE73DFFA6E710664FFC71B8FA53E735F968B718B1D9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...O..e.........." ...%.(... ......P.....................................................`..........................................I.......J..d....p.......`..................,....C...............................A..@............@...............................text....'.......(.................. ..`.rdata..8....@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Cipher\_raw_ofb.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.741875402338703
Encrypted:	false
SSDEEP:	192:sCF/1nb2mhQtkgU7L9D0E7tfcqgYvEJPb:N2f6L9D5JxgYvEJj
MD5:	134F891DE4188C2428A2081E10E675F0
SHA1:	22CB9B0FA0D1028851B8D28DAFD988D25E94D2FD
SHA-256:	F326AA2A582B773F4DF796035EC9BF69EC1AD11897C7D0ECFAB970D33310D6BA
SHA-512:	43CE8AF33630FD907018C62F100BE502565BAD712AD452A327AE166BD305735799877E14BE7A46D243D834F3F884ABF6286088E30533050ED9CD05D23AACAEAB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...O..e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_BLAKE2b.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.213290591994899
Encrypted:	false
SSDEEP:	192:oF/1nb2mhQtkRySMfJ2ycxFzShJD9dAal2QDeJKcqgQx2QY:C2fKRQB2j8JD4fJagQx2QY
MD5:	7D6979D69CD34652D5A3A197300AB65C
SHA1:	E9C7EF62B7042B3BAC75B002851C41EFEEE343CE
SHA-256:	2365B7C2AF8BBAC3844B7BEF47D5C49C234A159234A153515EB0634EEC0557CC
SHA-512:	CBDBE0DF4F6CB6796D54969B0EEF06C0CDA86FF34A2B127BF0272C819FB224D6E5393D5C9B31E53A24EAC9A3A1AEA6E0854A8D7911CF7C4C99292C931B8B05DF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...J..e.........." ...%..... ......P.....................................................`..........................................9......\|:..d....`.......P..@............p..,....3...............................2..@............0...............................text...X........................... ..`.rdata.......0....... ..............@..@.data...8....@.......0..............@....pdata..@....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_BLAKE2s.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.181893965844124
Encrypted:	false
SSDEEP:	192:cF/1nb2mhQt7fSOp/CJPvADQoKtxSOvbcqgEvcM+:22fNKOZWPIDMxVlgEvL
MD5:	C3BA97B2D8FFFDB05F514807C48CABB2
SHA1:	7BC7FBDE6A372E5813491BBD538FD49C0A1B7C26
SHA-256:	4F78E61B376151CA2D0856D2E59976670F5145FBABAB1EEC9B2A3B5BEBB4EEF6
SHA-512:	57C1A62D956D8C6834B7BA81C2D125A40BF466E833922AE3759CF2C1017F8CAF29F4502A5A0BCBC95D74639D86BAF20F0335A45F961CFCAC39B4ED81E318F4EB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...K..e.........." ...%..... ......P.....................................................`.........................................09.......9..d....`.......P..@............p..,....3...............................2..@............0...............................text...8........................... ..`.rdata..4....0......................@..@.data...8....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_MD2.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.1399121410532445
Encrypted:	false
SSDEEP:	192:HsiHXqpo0cUp8XnUp8XjEQnlDtTI6rcqgcx2:J6DcUp8XUp8AclDy69gcx2
MD5:	BB4CF5E97D4031B47CC7B7DAEDA005DD
SHA1:	4F596DCE9A8546AE22BA8851B22FCE62C2C69973
SHA-256:	325512FF7E0261AF1DA4760C5A8BB8BA7BA8C532F0068D770621CD2CC89E04C6
SHA-512:	93088745BA922918A8EBC20C7043DA4C3C639245547BE665D15625B7F808EC0BF120841ACEEFCE71134921EF8379821769DE35D32CCCC55E6B391C57C7F4D971
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...A..e.........." ...%..... ......P.....................................................`..........................................9......0:..d....`.......P..(............p..,....4...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_MD4.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.204576067987685
Encrypted:	false
SSDEEP:	192:JsiHXqpwUiv6wPf+4WVrd1DFrXqwWwcqgfvE:36biio2Pd1DFrlgfvE
MD5:	D2131380B7760D5BC3C2E1772C747830
SHA1:	DA5838E1C6DF5EC45AC0963E98761E9188A064D0
SHA-256:	6DB786B30F6682CD699E22D0B06B873071DCC569557B6EB6EC1416689C0890FE
SHA-512:	594939FB1D9154E15106D4B4AA9EF51A6AE5062D471ED7C0779A8E3D84D8F4B1481529015E0926A3489119DA37BE6CFE70C70ED695A6E84F6AF8F65402F6AAB5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...B..e.........." ...%............P.....................................................`.........................................p8...... 9..d....`.......P..(............p..,...@3...............................2..@............0...............................text...X........................... ..`.rdata..p....0......................@..@.data...p....@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_MD5.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.4787123381499825
Encrypted:	false
SSDEEP:	192:3Z9WXA7M93g8U7soSchhiLdjM5J6ECTGmDZuRsP0rcqgjPrvE:SQ0gH7zSccA5J6ECTGmDMa89gjPrvE
MD5:	CAF687A7786892939FFF5D5B6730E069
SHA1:	96C2567A770E12C15903767A85ABF8AF57FE6D6A
SHA-256:	9001E0C50D77823D64C1891F12E02E77866B9EDE783CEF52ED4D01A32204781B
SHA-512:	0B3C9E5C1F7EF52E615D9E1E6F7D91324BAB7C97FFAFB6DBAEB229CF1B86420A3534493C34DD9FAEB4BBC3612F245248ABA34393311C31500D827538DFE24BC5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...B..e.........." ...%. ..........P.....................................................`..........................................8.......9..d....`.......P..X............p..,....3...............................1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_RIPEMD160.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	5.69653684522693
Encrypted:	false
SSDEEP:	384:pkP5RjF7GsIyV6Lx41NVYaVmtShQRKAa8+D0ngkov:2nx7RI26LuuHKz8+D5N
MD5:	9762DBF0527A46F21852CA5303E245C3
SHA1:	33333912F16BB755B0631D8308D94DA2D7589127
SHA-256:	0DF91D69B8D585D2660168125E407E3CB3D87F338B3628E5E0C2BF49C9D20DB8
SHA-512:	52687C38939710C90A8C97F2C465AF8CF0309E3939255427B88BC461E27FADA79B0CB31F8BD215F72B610CAC093934C066141B9298353F04CC067C4E68B31DF0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...J..e.........." ...%.... ......P.....................................................`..........................................I.......J..d....p.......`..................,....D..............................PC..@............@...............................text....)......................... ..`.rdata.......@......................@..@.data...8....P.......>..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc..,............F..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_SHA1.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	5.798411671336839
Encrypted:	false
SSDEEP:	384:cPHNP3MjevhSY/8EBbVxcJ0ihTLdFDUPHgj+kf4D:mPcKvr/jUJ0sbDoAj+t
MD5:	74DAAAB71F93BCE184D507A45A88985C
SHA1:	3D09D69E94548EC6975177B482B68F86EDA32BB8
SHA-256:	E781D6DAF2BAAA2C1A45BD1CDDB21BA491442D49A03255C1E367F246F17E13BF
SHA-512:	870EC2752304F12F2F91BE688A34812AC1C75D444A0107284E3C45987639D8D07116EB98DB76931F9C8487666E1B2C163FC5743BBFC5A72F20F040670CDEB509
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...B..e.........." ...%.0..........P.....................................................`..........................................H.......I..d....p.......`..X...............,....C...............................A..@............@...............................text..../.......0.................. ..`.rdata.......@.......4..............@..@.data........P.......B..............@....pdata..X....`.......D..............@..@.rsrc........p.......H..............@..@.reloc..,............J..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_SHA224.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.86552932624144
Encrypted:	false
SSDEEP:	384:V1jwGPJHLvzcY1EEerju9LcTZ6RO3RouLKtcyDNOhwgjxo:XjwyJUYToZwOLuzDNU1j
MD5:	92587A131875FF7DC137AA6195B8BD81
SHA1:	2BA642DDC869AB329893795704BFE3F23C7B6ECB
SHA-256:	D2A9484134A65EFF74F0BDA9BB94E19C4964B6C323667D68B4F45BB8A7D499FC
SHA-512:	62823A0168B415045A093ACC67E98B5E33908380860B04AA0568B04F39DE957DA30F929459C766DC9782EFC3143DCD2F4950E3876669E680B6910C213300B565
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...F..e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_SHA256.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.867427817795374
Encrypted:	false
SSDEEP:	384:b1jwGPJHLxzcY1EEerju9LcTZ6RO3RouLKtcyDNWegjxo:ZjwyJOYToZwOLuzDNW7j
MD5:	B4E18C9A88A241FD5136FAF33FB9C96A
SHA1:	077AF274AA0336880391E2F38C873A72BFC1DE3B
SHA-256:	E50DB07E18CB84827B0D55C7183CF580FB809673BCAFBCEF60E83B4899F3AA74
SHA-512:	81A059115627025A7BBF8743B48031619C13A513446B0D035AA25037E03B6A544E013CAAEB139B1BE9BA7D0D8CF28A5E7D4CD1B8E17948830E75BDFBD6AF1653
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...D..e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_SHA384.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27136
Entropy (8bit):	5.860145427724178
Encrypted:	false
SSDEEP:	384:TFDL3RqE3MjjQ95UnLa+1WT1aA7qHofg5JptfISH2mDDFfgjVx2:xDLh98jjRe+1WT1aAeIfMzxH2mDDqj
MD5:	34A0AD8A0EB6AC1E86DC8629944448ED
SHA1:	EF54E4C92C123BE341567A0ACC17E4CEE7B9F7A8
SHA-256:	03E93C2DCC19C3A0CDD4E8EFCDE90C97F6A819DFECF1C96495FDC7A0735FAA97
SHA-512:	A38EDE4B46DC9EFA80DFB6E019379809DF78A671F782660CD778427482B0F5987FA80A42C26FB367604BAFCD4FD21ABD1C833DAF2D4AEA3A43877F54D6906E21
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...G..e.........." ...%.J..."......P.....................................................`......................................... l.......m..d...............................,....e...............................d..@............`...............................text...hH.......J.................. ..`.rdata..X....`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_SHA512.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27136
Entropy (8bit):	5.916758045478156
Encrypted:	false
SSDEEP:	384:LFYLXRqEnMgj969GUnLa+1WT1aA7qHofg5JptfIS320DXCElrgjhig:5YLB9Mgj0e+1WT1aAeIfMzx320DXR+j
MD5:	F028511CD5F2F925FD5A979152466CB4
SHA1:	38B8B44089B390E1F3AA952C950BDBE2CB69FBA5
SHA-256:	0FB591416CC9520C6D9C398E1EDF4B7DA412F80114F80628F84E9D4D37A64F69
SHA-512:	97C06A4DCEE7F05268D0A47F88424E28B063807FFBD94DABDCC3BF773AD933A549934916EB7339506624E97829AA5DC13321ADE31D528E8424FFDCF8C8407D4F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...I..e.........." ...%.J..."......P.....................................................`..........................................l.......m..d...............................,...@f...............................e..@............`...............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_ghash_clmul.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	5.0002940201841
Encrypted:	false
SSDEEP:	192:Dz/RF/1nb2mhQtk4axusjfkgZhoYDQmRjcqgQvEty:Dz/d2f64axnTTz5DTgQvEty
MD5:	87C1C89CEB6DF9F62A8F384474D27A4A
SHA1:	B0FC912A8DE5D9C18F603CD25AE3642185FFFBDD
SHA-256:	D2256A5F1D3DC6AE38B73EA2DB87735724D29CB400D00D74CF8D012E30903151
SHA-512:	C7DFB9C8E4F4AA984416BC84E829F0BB6CD87829C86BA259EE2A9BAB7C16B15362DB9EC87BF2ACED44A6BED7B1DE03DC9450665D083205B4CD4780DCF480DA01
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d...K..e.........." ...%............P.....................................................`..........................................8......89..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_ghash_portable.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.025717576776578
Encrypted:	false
SSDEEP:	192:FF/1nb2mhQtks0iiNqdF4mtPjD0HA5APYcqgYvEL2x:R2f6fFA/4GjDucgYvEL2x
MD5:	20702216CDA3F967DF5C71FCE8B9B36F
SHA1:	4D9A814EE2941A175BC41F21283899D05831B488
SHA-256:	3F73F9D59EB028B7F17815A088CEB59A66D6784FEEF42F2DA08DD07DF917DD86
SHA-512:	0802CF05DAD26E6C5575BBECB419AF6C66E48ED878F4E18E9CEC4F78D6358D751D41D1F0CCB86770A46510B993B70D2B320675422A6620CE9843E2E42193DCD8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...K..e.........." ...%............P.....................................................`..........................................8......h9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_keccak.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.235441330454107
Encrypted:	false
SSDEEP:	192:VTRgffnRaNfBj9xih1LPK73jm6AXiN4rSRIh42gD/gvrjcqgCieT3WQ:VafgNpj9cHW3jqXeBRamD4ZgCieT
MD5:	F065FFB04F6CB9CDB149F3C66BC00216
SHA1:	B2BC4AF8A3E06255BAB15D1A8CF4A577523B03B6
SHA-256:	E263D7E722EC5200E219D6C7D8B7C1B18F923E103C44A0B5485436F7B778B7BD
SHA-512:	93E583B10D0F2BBB1D5539FF4E943A65BC67F6DFC51E5F991481574F58757F4D49A87022E551069F6FC55D690F7B1412CF5DE7DD9BEE27FB826853CE9ACC2B40
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...J..e.........." ...%."... ......P.....................................................`.........................................`I......TJ..d....p.......`..p...............,....C...............................B..@............@...............................text...(!.......".................. ..`.rdata.......@.......&..............@..@.data........P.......6..............@....pdata..p....`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Hash\_poly1305.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.133851517560629
Encrypted:	false
SSDEEP:	192:zZNGXEgvUh43G6coX2SSwmPL4V7wTdDlDaY2cqgWjvE:mVMhuGGF2L4STdDEYWgWjvE
MD5:	213AAEC146F365D950014D7FFF381B06
SHA1:	66FCD49E5B2278CD670367A4AC6704A59AE82B50
SHA-256:	CAF315A9353B2306880A58ECC5A1710BFE3AA35CFEAD7CF0528CAEE4A0629EAD
SHA-512:	0880D7D2B2C936A4B85E6C2A127B3509B76DB4751A3D8A7BB903229CABC8DE7A7F52888D67C886F606E21400DFC51C215D1CF9C976EB558EA70975412840883A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...K..e.........." ...%..... ......P.....................................................`......................................... 9.......9..d....`.......P..\|............p..,....3...............................1..@............0...............................text...X........................... ..`.rdata..(....0......."..............@..@.data........@.......2..............@....pdata..\|....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Math\_modexp.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35840
Entropy (8bit):	5.927928056434685
Encrypted:	false
SSDEEP:	768:KbEkzS7+k9rMUb8cOe9rs9ja+V/Mhxh56GS:KbEP779rMtcOCs0I/Mjf
MD5:	732938D696EB507AF4C37795A4F9FCEA
SHA1:	FD585EA8779C305ADBE3574BE95CFD06C9BBD01C
SHA-256:	1383269169AB4D2312C52BF944BD5BB80A36D378FD634D7C1B8C3E1FFC0F0A8C
SHA-512:	E4EBC5470F3D05D79B65BC2752A7FF40F5525CD0813BDDECCB1042EE2286B733EE172383186E89361A49CBE0B4B14F8B2CBC0F32E475101385C634120BB36676
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.\|.U./.U./.U./.-a/.U./....U./A-...U./.U./!U./....U./....U./....U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d...S..e.........." ...%.^...0......`.....................................................`..........................................~..\|...\...d...............................,....s...............................q..@............p..(............................text...8].......^.................. ..`.rdata.......p.......b..............@..@.data................v..............@....pdata..............................@..@.rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Protocol\_scrypt.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.799297116284292
Encrypted:	false
SSDEEP:	192:UkCfXASTMeAk4OepIXcADpOX6RcqgO5vE:+JMcPepIXcADq63gO5vE
MD5:	9E7B28D6AB7280BBB386C93EF490A7C1
SHA1:	B088F65F3F6E2B7D07DDBE86C991CCD33535EF09
SHA-256:	F84667B64D9BE1BCC6A91650ABCEE53ADF1634C02A8A4A8A72D8A772432C31E4
SHA-512:	16A6510B403BF7D9ED76A654D8C7E6A0C489B5D856C231D12296C9746AC51CD372CC60CA2B710606613F7BC056A588C54EA24F9C0DA3020BBEA43E43CEEB9CA4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K............RQ.....U.....R............U......U......U..................=..........Rich...................PE..d...P..e.........." ...%............P.....................................................`..........................................8..d...$9..d....`.......P..4............p..,....3...............................1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\PublicKey\_ec_ws.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	754688
Entropy (8bit):	7.6249603206444005
Encrypted:	false
SSDEEP:	12288:l1UrmZ9HoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6hM:XYmzHoxJFf1p34hcrn5Go9yQO6q
MD5:	102898D47B45548E7F7E5ECC1D2D1FAA
SHA1:	DDAE3A3BDD8B83AF42126245F6CB24DC2202BC04
SHA-256:	C9BF3CF5707793C6026BFF68F2681FAAD29E953ED891156163CD0B44A3628A92
SHA-512:	85A42FC08C91AFF50A9FF196D6FE8ABD99124557341B9809B62A639957B166C2A7EFEA0A042BE2D753464DF5908DF4F5FE01A91C239B744CD44A70B79EF81048
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&:..b[.Lb[.Lb[.Lk#sLd[.Lw$.M`[.L)#.Ma[.Lb[.LI[.Lw$.Mn[.Lw$.Mj[.Lw$.Ma[.LX..Mg[.LX..Mc[.LX..Lc[.LX..Mc[.LRichb[.L........................PE..d...R..e.........." ...%.n..........`.....................................................`..........................................p..d...tq..d...............0...............4...@Z...............................Y..@...............(............................text....l.......n.................. ..`.rdata...............r..............@..@.data................j..............@....pdata..0............r..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\PublicKey\_ed25519.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27648
Entropy (8bit):	5.792776923715812
Encrypted:	false
SSDEEP:	384:mBwi/rOF26VZW1n0n/Is42g9qhrnW0mvPauYhz35sWJftjb1Ddsla15gkbQ0e1:cL/g28Ufsxg9GmvPauYLxtX1D8kf
MD5:	717DA232A3A9F0B94AF936B30B59D739
SHA1:	F1B3676E708696585FBCB742B863C5BB913D923F
SHA-256:	B3FD73D54079903C0BE39BA605ED9BB58ECD1D683CCB8821D0C0CC795165B0C6
SHA-512:	7AF46035F9D4A5786ED3CE9F97AC33637C3428EF7183DED2AFD380265FAE6969BB057E3B5D57C990DD083A9DB2A67BEA668D4215E78244D83D7EE7E0A7B40143
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..........)......................................R......R......RE.....R.....Rich...........PE..d...R..e.........." ...%.F...(......P.....................................................`..........................................j..0....k..d...............................,...pc..............................0b..@............`...............................text...xD.......F.................. ..`.rdata.."....`.......J..............@..@.data................\..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..,............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\PublicKey\_ed448.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	6.060435635420756
Encrypted:	false
SSDEEP:	1536:YqctkGACFI5t35q2JbL0UbkrwwOoKXyMH1B7M9rMdccdWxROpq:YqctkGACFI5t35q2JbgrwwOoqLTM9rMq
MD5:	ADF96805C070920EA90D9AB4D1E35807
SHA1:	D8FA8E29D9CDCD678DC03DA527EAF2F0C3BEF21A
SHA-256:	A36B1EDC104136E12EB6F28BD9366D30FFCEC0434684DC139314723E9C549FB7
SHA-512:	FB67C1F86CF46A63DF210061D16418589CD0341A6AA75AB49F24F99AD3CFF874BB02664706B9E2C81B7EF7300AF5BB806C412B4F069D22B72F7D9EBFFF66FE61
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.\|.U./.U./.U./.-a/.U./....U./A-...U./.U./!U./....U./....U./....U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d...S..e.........." ...%.....8......`........................................@............`.........................................`...h.......d.... .......................0..,.......................................@............................................text............................... ..`.rdata..*...........................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..,....0......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\PublicKey\_x25519.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.488514144301916
Encrypted:	false
SSDEEP:	96:IpVVdJvbrqTu6ZdpvY0IluLfcC75JiC4cs89EfqADBhDTAbcX6gn/7EC:uVddiT7pgTctdErDDDTicqgn/7
MD5:	148E1600E9CBAF6702D62D023CAC60BC
SHA1:	4CDD8445408C4165B6E029B9966C71BC45E634A2
SHA-256:	1461AAFD4B9DC270128C89C3EB5358794C77693BB943DC7FC42AA3BB0FC52B16
SHA-512:	53155DA3FD754AF0BC30E2A51F0B579B8A83A772025CE0B4AFD01A31B8A40F46533FDA9CC3D0D32E9480DBBD7DD4A28F9DAAC11A370B0435E5E74666ACF9181C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.h.r.h.r.h.{...p.h.g.i.p.h.9.i.q.h.r.i.V.h.g.m.y.h.g.l.z.h.g.k.q.h.H.`.s.h.H.h.s.h.H...s.h.H.j.s.h.Richr.h.........................PE..d...R..e.........." ...%............P........................................p............`..........................................'..P...0(..P....P.......@...............`..,...P#..............................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Util\_cpuid_c.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.731194408014124
Encrypted:	false
SSDEEP:	96:lJVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EVAElIijKDQGybMZYJWJcX6gbW6s:JVddiT7pgTctEEaEDKDuMCWJcqgbW6
MD5:	1547F8CB860AB6EA92B85D4C1B0209A1
SHA1:	C5AE217DEE073AC3D23C3BF72EE26D4C7515BD88
SHA-256:	1D2F3E627551753E58ED9A85F8D23716F03B51D8FB5394C4108EB1DC90DC9185
SHA-512:	40F0B46EE837E4568089D37709EF543A987411A17BDBAE93D8BA9F87804FB34DCA459A797629F34A5B3789B4D89BD46371AC4F00DDFE5D6B521DEA8DC2375115
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d...N..e.........." ...%............P........................................p............`..........................................'..\|....'..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Cryptodome\Util\_strxor.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.686131723746002
Encrypted:	false
SSDEEP:	96:EiZVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EMz3DmWMoG4BcX6gbW6O:HVddiT7pgTctEEO3DcoHcqgbW6
MD5:	16F42DE194AAEFB2E3CDEE7FA63D2401
SHA1:	BE2AB72A90E0342457A9D13BE5B6B1984875EDEA
SHA-256:	61E23970B6CED494E11DC9DE9CB889C70B7FF7A5AFE5242BA8B29AA3DA7BC60E
SHA-512:	A671EA77BC8CA75AEDB26B73293B51B780E26D6B8046FE1B85AE12BC9CC8F1D2062F74DE79040AD44D259172F99781C7E774FE40768DC0A328BD82A48BF81489
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d...P..e.........." ...%............P........................................p............`.........................................`'..t....'..P....P.......@...............`..,...."...............................!..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Pythonwin\mfc140u.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5653536
Entropy (8bit):	6.729079283804055
Encrypted:	false
SSDEEP:	49152:ULnsrdZXUTQyJa9qgUUjlQNXkW8GCBTDgHsYogTYn3s3pQMqSj+vTCfEs7ATWYls:UoJUEUYS3zUQFLOAkGkzdnEVomFHKnP+
MD5:	CD1D99DF975EE5395174DF834E82B256
SHA1:	F395ADA2EFC6433B34D5FBC5948CB47C7073FA43
SHA-256:	D8CA1DEA862085F0204680230D29BFF4D168FFF675AB4700EEAF63704D995CB3
SHA-512:	397F725E79CA2C68799CF68DFB111A1570427F3D2175D740758C387BDAA508BC9014613E997B92FC96E884F66BB17F453F8AA035731AFD022D9A4E7095616F87
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.cu...&...&...&...'...&...'...&...'...&..&...&G..'...&G..'...&...'...&...&..&G..'...&G..'...&G..'...&G..'...&G..&...&G..'...&Rich...&................PE..d...9.:e.........." .....(-..X)......X,.......................................V.....&~V...`A..........................................:.....h.;.......?......`=..8....V. (...PU.0p..P.5.T...........................`...8............@-.P...(.:......................text....&-......(-................. ..`.rdata.......@-......,-.............@..@.data....6... <.......<.............@....pdata...8...`=..:....<.............@..@.didat..H.....?.......?.............@....rsrc.........?.......?.............@..@.reloc..0p...PU..r....T.............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\Pythonwin\win32ui.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1143296
Entropy (8bit):	6.0410832425584795
Encrypted:	false
SSDEEP:	12288:dk6co2gGIs7ZetrV6LMEsKK+Onc8fUqzFVVppS6yZAXz:dkG2QQetrgsK79qzFHL
MD5:	F0116137D0674482247D056642DC06BF
SHA1:	5BB63FCF5E569D94B61383D1921F758BCC48EF81
SHA-256:	8ECA3ED313003D3F3DEE1B7A5CE90B50E8477EC6E986E590E5ED91C919FC7564
SHA-512:	A8D6420C491766302C615E38DAF5D9B1698E5765125FD256530508E5C0A5675A7BF2F338A22368E0B4DDFA507D8D377507376C477CF9B829E28F3C399203CDE6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.K.K...K...K...3]..K..Y>...K.......K...3...K...>...K...>...K...>...K...K...M...>...K..Y>...K..Y>...K..Y>1..K..Y>...K..Rich.K..........................PE..d......g.........." .........r......4.....................................................`.........................................`....T..hr..h...............................l\......T.......................(.......8................0...........................text............................... ..`.rdata..\|...........................@..@.data...............................@....pdata...............d..............@..@.rsrc...............................@..@.reloc..l\.......^..................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109392
Entropy (8bit):	6.641929675972235
Encrypted:	false
SSDEEP:	1536:GcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/woecbq8qZHg2zuCS+zuecL:GV3iC0h9q4v6XjKwoecbq8qBTq+1cL
MD5:	4585A96CC4EEF6AAFD5E27EA09147DC6
SHA1:	489CFFF1B19ABBEC98FDA26AC8958005E88DD0CB
SHA-256:	A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
SHA-512:	D78260C66331FE3029D2CC1B41A5D002EC651F2E3BBF55076D65839B5E3C6297955AFD4D9AB8951FBDC9F929DBC65EB18B14B59BCE1F2994318564EB4920F286
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d..._#;..........." ...".....`......................................................=.....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49520
Entropy (8bit):	6.65700274508223
Encrypted:	false
SSDEEP:	768:YEgYXUcHJcUJSDW/tfxL1qBSHGm6Ub/I2Hi09z0XQKBcRmuU9zuKl:YvGS8fZ1esJwUpz0X3B+d8zuKl
MD5:	7E668AB8A78BD0118B94978D154C85BC
SHA1:	DBAC42A02A8D50639805174AFD21D45F3C56E3A0
SHA-256:	E4B533A94E02C574780E4B333FCF0889F65ED00D39E32C0FBBDA2116F185873F
SHA-512:	72BB41DB17256141B06E2EAEB8FC65AD4ABDB65E4B5F604C82B9E7E7F60050734137D602E0F853F1A38201515655B6982F2761EE0FA77C531AA58591C95F0032
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............L...L...L...M...L...M...L.FL...L...L...L...M...L...M...L...M...L...M...L..*L...L...M...LRich...L........................PE..d....J.$.........." ...".<...8.......A....................................................`A........................................0m.......m..x....................r..pO......D....c..p...........................pb..@............P..h............................text...0:.......<.................. ..`.rdata..."...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\_asyncio.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65304
Entropy (8bit):	6.186523609819811
Encrypted:	false
SSDEEP:	1536:k2icaMc907zrzE6+gTKnEzhIVOnZC7SyMx6:k2icrc4HE6+gTOEzhIVOn0j
MD5:	CEE78DC603D57CB2117E03B2C0813D84
SHA1:	095C98CA409E364B8755DC9CFD12E6791BF6E2B8
SHA-256:	6306BE660D87FFB2271DD5D783EE32E735A792556E0B5BD672DC0B1C206FDADC
SHA-512:	7258560AA557E3E211BB9580ADD604B5191C769594E17800B2793239DF45225A82CE440A6B9DCF3F2228ED84712912AFFE9BF0B70B16498489832DF2DEE33E7E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B:'T.[I..[I..[I..#...[I..'H..[I..'L..[I..'M..[I..'J..[I..&H..[I.M#H..[I..[H..[I..&D..[I..&I..[I..&...[I..&K..[I.Rich.[I.........PE..d......e.........." ...#.R..........`.....................................................`.............................................P...`...d......................../..........`w..T........................... v..@............p...............................text....P.......R.................. ..`.rdata..~J...p...L...V..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\_brotli.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	820736
Entropy (8bit):	6.056263694016779
Encrypted:	false
SSDEEP:	12288:cY0Uu7wLsglBv4i5DGAqXMAHhlyL82XTw05nmZfR7o:cp0NA1tAmZfR
MD5:	D9FC15CAF72E5D7F9A09B675E309F71D
SHA1:	CD2B2465C04C713BC58D1C5DE5F8A2E13F900234
SHA-256:	1FCD75B03673904D9471EC03C0EF26978D25135A2026020E679174BDEF976DCF
SHA-512:	84F705D52BD3E50AC412C8DE4086C18100EAC33E716954FBCB3519F4225BE1F4E1C3643D5A777C76F7112FAE30CE428E0CE4C05180A52842DACB1F5514460006
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ls...........u......q......u......q......q......q.....Yq...........Hp.....Hp.....Hp.....Hp.....Rich............................PE..d......d.........." ...#.@...H.......F....................................................`.........................................@c..`....c.......................................9..............................P8..@............P...............................text....?.......@.................. ..`.rdata.......P.......D..............@..@.data........p.......`..............@....pdata...............h..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84760
Entropy (8bit):	6.56801864004604
Encrypted:	false
SSDEEP:	1536:7/Uez7qlMjca6uPZLPYMPHn3m8bhztpIVCVC7SyhJDxhy:4ezGC4TM/3RbhhpIVCVCXpy
MD5:	28EDE9CE9484F078AC4E52592A8704C7
SHA1:	BCF8D6FE9F42A68563B6CE964BDC615C119992D0
SHA-256:	403E76FE18515A5EA3227CF5F919AA2F32AC3233853C9FB71627F2251C554D09
SHA-512:	8C372F9F6C4D27F7CA9028C6034C17DEB6E98CFEF690733465C1B44BD212F363625D9C768F8E0BD4C781DDDE34EE4316256203ED18FA709D120F56DF3CCA108B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w.l.3...3...3...:...9......1......0......>......;......7.......0...x...1...3...l.......;.......2.......2.......2...Rich3...................PE..d......e.........." ...#.....^..............................................P.......U....`.........................................p...H............0....... .. ......../...@..........T...........................p...@............................................text............................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\_cffi_backend.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	178176
Entropy (8bit):	6.165902427203749
Encrypted:	false
SSDEEP:	3072:87aw5iwiVHprp0+/aSdXUONX9dAXS7qkSTLkKh23/qZl:87kBVHplaSdRj4LkSTLLhW/q
MD5:	739D352BD982ED3957D376A9237C9248
SHA1:	961CF42F0C1BB9D29D2F1985F68250DE9D83894D
SHA-256:	9AEE90CF7980C8FF694BB3FFE06C71F87EB6A613033F73E3174A732648D39980
SHA-512:	585A5143519ED9B38BB53F912CEA60C87F7CE8BA159A1011CF666F390C2E3CC149E0AC601B008E039A0A78EAF876D7A3F64FFF612F5DE04C822C6E214BC2EFDE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A:.#.[.p.[.p.[.p.#.p.[.p..q.[.p..zp.[.p..q.[.p..q.[.p..q.[.pN#.q.[.pj.q.[.p.[.p.[.pM.q.[.p.#.p.[.pM.q.[.pM.xp.[.pM.q.[.pRich.[.p................PE..d......f.........." ...).....B............................................... ............`.........................................PX..l....X.......................................?...............................=..@............................................text...X........................... ..`.rdata..............................@..@.data....].......0...j..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	123672
Entropy (8bit):	6.0601189161591
Encrypted:	false
SSDEEP:	3072:aS7u5LnIxdP3fPHW+QfLIrAYKpemW9IVLPjo:aSw+3FQfLIrIemW3
MD5:	22C4892CAF560A3EE28CF7F210711F9E
SHA1:	B30520FADD882B667ECEF3B4E5C05DC92E08B95A
SHA-256:	E28D4E46E5D10B5FDCF0292F91E8FD767E33473116247CD5D577E4554D7A4C0C
SHA-512:	EDB86B3694FFF0B05318DECF7FC42C20C348C1523892CCE7B89CC9C5AB62925261D4DD72D9F46C9B2BDA5AC1E6B53060B8701318B064A286E84F817813960B19
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.....................).....).....).....).....O...............W.......c.O.....O.....O.o...O.....Rich..........................PE..d......e.........." ...#............p\..............................................jh....`.........................................pP.......P.........................../..............T...........................`...@............................................text............................... ..`.rdata...l.......n..................@..@.data...$=...p...8...^..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	253720
Entropy (8bit):	6.551075270762715
Encrypted:	false
SSDEEP:	6144:cjz3B48pj9aOtoQdpJOsoTiSi9qWM53pLW1Atp6tQh7:i94uj9afQVrom0bUQh7
MD5:	BAAA9067639597E63B55794A757DDEFF
SHA1:	E8DD6B03EBEF0B0A709E6CCCFF0E9F33C5142304
SHA-256:	6CD52B65E11839F417B212BA5A39F182B0151A711EBC7629DC260B532391DB72
SHA-512:	7995C3B818764AD88DB82148EA0CE560A0BBE9594CA333671B4C5E5C949F5932210EDBD63D4A0E0DC2DAF24737B99318E3D5DAAEE32A5478399A6AA1B9EE3719
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.R.!...!...!...Y=..!..+]...!..+]...!..+]...!..+]...!..M\...!...Y...!...!...!..M\...!..M\...!..M\...!..M\Q..!..M\...!..Rich.!..........PE..d......e.........." ...#.x...<......<...............................................:.....`......................................... T..P...pT..................$'......./......P.......T...........................P...@............................................text....v.......x.................. ..`.rdata..l............\|..............@..@.data....*...p...$...T..............@....pdata..$'.......(...x..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65304
Entropy (8bit):	6.2555709687934655
Encrypted:	false
SSDEEP:	1536:jfKlbLgy209/MkZy6n23JZlnvy7OjZophIVOIi7SyMrxZR1:7Khgy+XZla7OjSphIVOIiKR1
MD5:	C888ECC8298C36D498FF8919CEBDB4E6
SHA1:	F904E1832B9D9614FA1B8F23853B3E8C878D649D
SHA-256:	21D59958E2AD1B944C4811A71E88DE08C05C5CA07945192AB93DA5065FAC8926
SHA-512:	7161065608F34D6DE32F2C70B7485C4EE38CD3A41EF68A1BEACEE78E4C5B525D0C1347F148862CF59ABD9A4AD0026C2C2939736F4FC4C93E6393B3B53AA7C377
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(t..F'..F'..F'..'..F'u.G&..F'u.C&..F'u.B&..F'u.E&..F'..G&..F'..G&..F'..G'B.F'..K&..F'..F&..F'...'..F'..D&..F'Rich..F'................PE..d......e.........." ...#.T...~......@@..............................................H.....`............................................P... ............................/......X...P}..T............................\|..@............p..0............................text....S.......T.................. ..`.rdata...O...p...P...X..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	159000
Entropy (8bit):	6.849076584495919
Encrypted:	false
SSDEEP:	3072:cNltLBrdV/REWa/g7Lznf49mNoiUMApqlpIVZ1SXW:cNltPpREgAYOicMI
MD5:	D386B7C4DCF589E026ABFC7196CF1C4C
SHA1:	C07CE47CE0E69D233C5BDD0BCAC507057D04B2D4
SHA-256:	AD0440CA6998E18F5CC917D088AF3FEA2C0FF0FEBCE2B5E2B6C0F1370F6E87B1
SHA-512:	78D79E2379761B054DF1F9FD8C5B7DE5C16B99AF2D2DE16A3D0AC5CB3F0BD522257579A49E91218B972A273DB4981F046609FDCF2F31CF074724D544DAC7D6C8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T"#.5Lp.5Lp.5Lp.M.p.5Lp.IMq.5Lp.IIq.5Lp.IHq.5Lp.IOq.5LpnHMq.5Lp.MMq.5Lp.5Mp.5LpnHAq.5LpnHLq.5LpnH.p.5LpnHNq.5LpRich.5Lp................PE..d......e.........." ...#.b...........5....................................................`..........................................%..L...\%..x....p.......P.......>.../......8.......T...........................p...@............................................text...na.......b.................. ..`.rdata..............f..............@..@.data........@......................@....pdata.......P......................@..@.rsrc........p.......2..............@..@.reloc..8............<..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\_multiprocessing.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	34584
Entropy (8bit):	6.408696570061904
Encrypted:	false
SSDEEP:	768:n7I6Rwcl5w5zu8TdywGnJjRIVWtTk5YiSyvE+OAMxkEO:7Ikl5kzu8TdywGJjRIVWtTu7Sy18xK
MD5:	622A0E73779C88FC430B69CAF4A39789
SHA1:	F6536137E4E2CD8EC181F09B7DBA5E2E4D03B392
SHA-256:	EDFA9EE414F41448F8FFABB79F3BB8DB5C25E1CFD28FACF88EB5FE2D1E1D7551
SHA-512:	FD8D6DB53B630821845DFE22B09C4335565F848A421AF271797EFE272BAAA1EF887D735D4D5CD7D1258F2DD8F523327A67C071F7D16FC1BF53ACA39BAE41DFF2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-*.yCy.yCy.yCy...y.yCy'.Bx.yCy'.Fx.yCy'.Gx.yCy'.@x.yCyA.Bx.yCy.yBy.yCy..Bx.yCyA.Nx.yCyA.Cx.yCyA..y.yCyA.Ax.yCyRich.yCy................PE..d......e.........." ...#.....<......0...............................................E.....`.........................................0D..`....D..x....p.......`.......X.../...........4..T...........................p3..@............0...............................text............................... ..`.rdata..^....0... ..."..............@..@.data........P.......B..............@....pdata.......`.......H..............@..@.rsrc........p.......L..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\_overlapped.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	50968
Entropy (8bit):	6.434106091606417
Encrypted:	false
SSDEEP:	768:R1FMCcP4W9vqJKRJs2lNXSkCirb1IVXtW5YiSyvw5AMxkEfEk:R1FMaJKWkCg1IVXts7Sy4hxjEk
MD5:	D3BE208DC5388225162B6F88FF1D4386
SHA1:	8EFFDB606B6771D5FDF83145DE0F289E8AD83B69
SHA-256:	CE48969EBEBDC620F4313EBA2A6B6CDA568B663C09D5478FA93826D401ABE674
SHA-512:	9E1C3B37E51616687EECF1F7B945003F6EB4291D8794FEA5545B4A84C636007EB781C18F6436039DF02A902223AC73EFAC9B2E44DDC8594DB62FEB9997475DA3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}!{..O(..O(..O(.d.(..O(W`N)..O(W`J)..O(W`K)..O(W`L)..O(1aN)..O(..N(..O(.dN)..O(.dK)..O(1aB)..O(1aO)..O(1a.(..O(1aM)..O(Rich..O(................PE..d......e.........." ...#.B...X.......................................................N....`.........................................0...X................................/......,....f..T...........................Pe..@............`...............................text...fA.......B.................. ..`.rdata..$5...`...6...F..............@..@.data................\|..............@....pdata..............................@..@.rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32536
Entropy (8bit):	6.447318282610391
Encrypted:	false
SSDEEP:	768:P0+yFg6rXtUmxU99IVQUT5YiSyvyxAMxkE44:c+wRXiWU99IVQUd7Sy+xE4
MD5:	50842CE7FCB1950B672D8A31C892A5D1
SHA1:	D84C69FA2110B860DA71785D1DBE868BD1A8320F
SHA-256:	06C36EC0749D041E6957C3CD7D2D510628B6ABE28CEE8C9728412D9CE196A8A2
SHA-512:	C1E686C112B55AB0A5E639399BD6C1D7ADFE6AEDC847F07C708BEE9F6F2876A1D8F41EDE9D5E5A88AC8A9FBB9F1029A93A83D1126619874E33D09C5A5E45A50D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B:WX.[9..[9..[9..#...[9..'8..[9..'<..[9..'=..[9..':..[9..&8..[9.M#8..[9..[8.L[9..&4..[9..&9..[9..&...[9..&;..[9.Rich.[9.........PE..d......e.........." ...#.....8......................................................(F....`..........................................C..L....C..d....p.......`.......P.../..........p4..T...........................03..@............0..0............................text............................... ..`.rdata..R....0......................@..@.data...x....P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	79640
Entropy (8bit):	6.28999572337647
Encrypted:	false
SSDEEP:	1536:YJlhpHrTT9r3ujE9/s+S+pzpCoiTFVf7p9IVLwg7SyLxU:Y7hpL13ujE9/sT+pz4oYFVTp9IVLwgo
MD5:	2C0EC225E35A0377AC1D0777631BFFE4
SHA1:	7E5D81A06FF8317AF52284AEDCCAC6EBACE5C390
SHA-256:	301C47C4016DAC27811F04F4D7232F24852EF7675E9A4500F0601703ED8F06AF
SHA-512:	AEA9D34D9E93622B01E702DEFD437D397F0E7642BC5F9829754D59860B345BBDE2DD6D7FE21CC1D0397FF0A9DB4ECFE7C38B649D33C5C6F0EAD233CB201A73E0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.+.".E.".E.".E.+...$.E...D. .E...@./.E...A.*.E...F.!.E...D. .E.".D...E.i.D.%.E...H.#.E...E.#.E....#.E...G.#.E.Rich".E.........................PE..d......e.........." ...#.l...........%.......................................P............`.............................................P............0....... ..x......../...@..........T...............................@............................................text...6k.......l.................. ..`.rdata...t.......v...p..............@..@.data...............................@....pdata..x.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120088
Entropy (8bit):	6.2579260754206505
Encrypted:	false
SSDEEP:	3072:vvtiqaiN2oSNMAwwi3CLl147ZvV9NdrRvdO5yFAuaUVMJF8MYRnchIVOQ1B:HJaiN2oSNVDD5FJFr2
MD5:	A70731AE2CA44B7292623AE8B0281549
SHA1:	9E086C0753BB43E2876C33C4872E71808932A744
SHA-256:	55344349F9199AEDAD1737A0311CBE2C3A4BF9494B76982520BACAD90F463C1B
SHA-512:	8334104DF9837D32946965290BBC46BA0A0ADA17BD2D03FC63380979F5FC86B26BE245636718B4304DFD0D85A5B3F7170614F148E5C965CC5ADF59D34465F7F1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`.g...g...g.......g.......g.....g.......g.......g.......g..q....g.......g...g...f..q....g..q....g..q..g..q....g..Rich.g..........................PE..d......e.........." ...#............................................................ G....`..........................................Z..P....Z.........................../..............T...........................p...@............................................text............................... ..`.rdata..l...........................@..@.data................n..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	176920
Entropy (8bit):	5.955624236034285
Encrypted:	false
SSDEEP:	3072:pjIQQSFBfL+SiSVWuXa6XzfBJ9d41Olh59YL48PMrN/WgAlNcLpIVC72a:CSFNL3LJa6Xzj4BLcLP
MD5:	66E78727C2DA15FD2AAC56571CD57147
SHA1:	E93C9A5E61DB000DEE0D921F55F8507539D2DF3D
SHA-256:	4727B60962EFACFD742DCA21341A884160CF9FCF499B9AFA3D9FDBCC93FB75D0
SHA-512:	A6881F9F5827ACEB51957AAED4C53B69FCF836F60B9FC66EEB2ED84AED08437A9F0B35EA038D4B1E3C539E350D9D343F8A6782B017B10A2A5157649ABBCA9F9A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U.+.4.x.4.x.4.x.L)x.4.x.H.y.4.x.H.y.4.x.H.y.4.x.H.y.4.xiI.y.4.x.4.x>5.x.L.y.4.xiI.y.4.xiI.y.4.xiIEx.4.xiI.y.4.xRich.4.x................PE..d......e.........." ...#............l+...............................................!....`.........................................0...d................................/......\|...P...T...............................@............................................text............................... ..`.rdata...".......$..................@..@.data...............................@....pdata...............\..............@..@.rsrc................h..............@..@.reloc..\|............r..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\_uuid.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25368
Entropy (8bit):	6.628339287223099
Encrypted:	false
SSDEEP:	384:lCfwFpEWjfivQpIVZwobHQIYiSy1pCQFjzuAM+o/8E9VF0NySoJ:4qpEI4QpIVZwg5YiSyvgAMxkE7
MD5:	3A09B6DB7E4D6FF0F74C292649E4BA96
SHA1:	1A515F98946A4DCCC50579CBCEDF959017F3A23C
SHA-256:	FC09E40E569F472DD4BA2EA93DA48220A6B0387EC62BB0F41F13EF8FAB215413
SHA-512:	8D5EA9F7EEE3D75F0673CC7821A94C50F753299128F3D623E7A9C262788C91C267827C859C5D46314A42310C27699AF5CDFC6F7821DD38BF03C0B35873D9730F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<p.R#.R#.R#...#.R#i.S".R#i.W".R#i.V".R#i.Q".R#..S".R#..S".R#.S#..R#..Z".R#..R".R#...#.R#..P".R#Rich.R#........................PE..d......e.........." ...#.....&...... ........................................p............`.........................................`)..L....)..x....P.......@.......4.../...`..@...`#..T........................... "..@............ ..8............................text...h........................... ..`.rdata....... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..@....`.......2..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\aiohttp\_helpers.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	51712
Entropy (8bit):	5.719745861304906
Encrypted:	false
SSDEEP:	768:V1yQoUZM+e7B244LM1/sGFNUgOclIgD0iEXSmHN9D7KSDq/dFGlaKb+DzH:VloBBN4LM1/9FeiIyEXX9XKSEFAb+n
MD5:	ADD987AEC610B3D921DECBEF60E0DE8D
SHA1:	2763D5D3ACF58BC751323310F1F46ABCBC093C82
SHA-256:	AD5F49D13DDEA57319E9D404E8947B5207239D07D94332DFE601331A70A8D5EB
SHA-512:	D460AEA5256DE208CC0D13D59D05E809B3F5FD88C34731C776498113DA45B6FD732F00CC1C6E02B2F43992CBCD04598E48AEE140CA1C1E7FFDD3E8FF18238020
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[.k...k...k....?..k......k.......k......k......k......k......k...k..Rk......k......k....S..k......k..Rich.k..........................PE..d..."B.g.........." ...).z...T.......\|....................................... ............`.............................................`.......d...................................................................P...@............................................text...8y.......z.................. ..`.rdata...6.......6...~..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\aiohttp\_http_parser.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	266240
Entropy (8bit):	6.171612984848152
Encrypted:	false
SSDEEP:	3072:BVuE3CWclftO4A1tgB9eIGnbQN4NFguNli5XURla2yBi2/1VDZoUyGRqpu:DV31clftOft+uNlQ/5isnKp
MD5:	57ABDBFC3F2020177909E20984032DD5
SHA1:	B814A1E284BF330F3387AFE0F1DC2CCF2B9B8016
SHA-256:	3A143C933FADD1A1A60A65BDD37858EA11D47A074F9A7934933B13C01B7C3B8B
SHA-512:	5CA9B1903E8AA7EA244A6807AC8107AD651AA6B16C444D420E9200D689D2A9FA9DAAC25BF937DEB9214CC0DD550E6F9231B4E8551AA0DC38D265A87B7DAE582E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B,6..MXY.MXY.MXY.5.Y.MXY..YX.MXYM5YX.MXYi.YX.MXY.MYY.MXY..[X.MXY..\X.MXY..]X.MXYN.PX.MXYN.XX.MXYN.Y.MXYN.ZX.MXYRich.MXY................PE..d..."B.g.........." ...).0...........1....................................................`.........................................p.......D...x....`.......@..0............p..\......................................@............@...............................text...X........0.................. ..`.rdata.."....@.......4..............@..@.data....F..........................@....pdata..0....@......................@..@.rsrc........`......................@..@.reloc..\....p......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\aiohttp\_http_writer.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	5.734133802541209
Encrypted:	false
SSDEEP:	768:RuIpuGiOh9LHHQ2leaWYk/glLh2u+yBlhlr9iLr2F+HGlj55D2n8Ic:RuTGiK8a8Yl9z+yf9iH2F+H65B2n8Ic
MD5:	C5036E8B04879173F5E530F7B11C65BA
SHA1:	1F17B7551020575943B92058CC493B0C1A35D32C
SHA-256:	8D12BDD47DBABC836930A663A5149C4F2D2B9AE082F954EE26FE66D501FEBFE9
SHA-512:	07588B3E311ED1AEBD5BE0D96388FE180FED4629FE08EBCA4E86802B8AF3DAED603EABDB5AA427C2E5E80E384C5B3D859B0AC4438BD2A278E949DE6CE2FCE44B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N..T.l...l...l....?..l......l..A....l......l......l......l..e...l...l...l..B...l..B...l..B.S..l..B...l..Rich.l..................PE..d...#B.g.........." ...).v...........x.......................................P............`.........................................p...h......d....0....... ..$............@......................................@...@...............X............................text...(u.......v.................. ..`.rdata...0.......2...z..............@..@.data...(N..........................@....pdata..$.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\aiohttp\_websocket.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	5.595737924373698
Encrypted:	false
SSDEEP:	768:NTQTXEebmg5xAVNTTYMlam/Je5JAZ6cXu9lEQ/Yv8:hSP5KVV0MgF8G3/Yv
MD5:	EC9E2D8CC7966CACAC49DA5409BB72F7
SHA1:	EB0F500F21B7134EBC833CED27DF1450DB9EA241
SHA-256:	23391519E1BF052D4832ADA81BCA088C2B8BCE582F0EB3535109B524A2891E10
SHA-512:	FAA4A03CF4B0E7EB18412594F5199E57624099D4F53789BCD87CF2572F8F94636FADB8E99E3DEABBA57B2AB91427CDC7E239CF9D137D4EE3B31F6423E166F65B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[.k...k...k....?..k......k.......k......k......k......k......k...k..rk......k......k....S..k......k..Rich.k..........................PE..d....B.g.........." ...).N...D...... P....................................................`..........................................\|..d...t\|..d...............4...................@s...............................r..@............`...............................text...xL.......N.................. ..`.rdata..:+...`...,...R..............@..@.data................~..............@....pdata..4...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22112
Entropy (8bit):	4.744270711412692
Encrypted:	false
SSDEEP:	192:zFOhcWqhWpvWEXCVWQ4iWwklRxwVIX01k9z3AROVaz4ILS:zFlWqhWpk6R9zeU0J2
MD5:	E8B9D74BFD1F6D1CC1D99B24F44DA796
SHA1:	A312CFC6A7ED7BF1B786E5B3FD842A7EEB683452
SHA-256:	B1B3FD40AB437A43C8DB4994CCFFC7F88000CC8BB6E34A2BCBFF8E2464930C59
SHA-512:	B74D9B12B69DB81A96FC5A001FD88C1E62EE8299BA435E242C5CB2CE446740ED3D8A623E1924C2BC07BFD9AEF7B2577C9EC8264E53E5BE625F4379119BAFCC27
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....dZ..........." .........0...............................................@............`A........................................p...,............0...............0..`&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.602255667966723
Encrypted:	false
SSDEEP:	192:NWqhWEWEXCVWQ4cRWvBQrVXC4dlgX01k9z3AUj7W6SxtR:NWqhWPlZVXC4deR9zVj7QR
MD5:	CFE0C1DFDE224EA5FED9BD5FF778A6E0
SHA1:	5150E7EDD1293E29D2E4D6BB68067374B8A07CE6
SHA-256:	0D0F80CBF476AF5B1C9FD3775E086ED0DFDB510CD0CC208EC1CCB04572396E3E
SHA-512:	B0E02E1F19CFA7DE3693D4D63E404BDB9D15527AC85A6D492DB1128BB695BFFD11BEC33D32F317A7615CB9A820CD14F9F8B182469D65AF2430FFCDBAD4BD7000
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....N7.........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.606873381830854
Encrypted:	false
SSDEEP:	192:T0WqhWnWEXCVWQ4mW5ocADB6ZX01k9z3AkprGvV:T0WqhW8VcTR9zJpr4V
MD5:	33BBECE432F8DA57F17BF2E396EBAA58
SHA1:	890DF2DDDFDF3EECCC698312D32407F3E2EC7EB1
SHA-256:	7CF0944901F7F7E0D0B9AD62753FC2FE380461B1CCE8CDC7E9C9867C980E3B0E
SHA-512:	619B684E83546D97FC1D1BC7181AD09C083E880629726EE3AF138A9E4791A6DCF675A8DF65DC20EDBE6465B5F4EAC92A64265DF37E53A5F34F6BE93A5C2A7AE5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....IL..........." .........0...............................................@...........`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.65169290018864
Encrypted:	false
SSDEEP:	192:qzmxD3T4qLWqhW2WJWadJCsVWQ4mW/xNVAv+cQ0GX01k9z3ARoanSwT44:qzQVWqhWTCsiNbZR9zQoUSwTJ
MD5:	EB0978A9213E7F6FDD63B2967F02D999
SHA1:	9833F4134F7AC4766991C918AECE900ACFBF969F
SHA-256:	AB25A1FE836FC68BCB199F1FE565C27D26AF0C390A38DA158E0D8815EFE1103E
SHA-512:	6F268148F959693EE213DB7D3DB136B8E3AD1F80267D8CBD7D5429C021ADACCC9C14424C09D527E181B9C9B5EA41765AFF568B9630E4EB83BFC532E56DFE5B63
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..H...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26216
Entropy (8bit):	4.866487428274293
Encrypted:	false
SSDEEP:	192:gaNYPvVX8rFTsCWqhWVWEXCVWQ4mWPJlBLrp0KBQfX01k9z3ALkBw:WPvVX8WqhWiyBRxB+R9z2kBw
MD5:	EFAD0EE0136532E8E8402770A64C71F9
SHA1:	CDA3774FE9781400792D8605869F4E6B08153E55
SHA-256:	3D2C55902385381869DB850B526261DDEB4628B83E690A32B67D2E0936B2C6ED
SHA-512:	69D25EDF0F4C8AC5D77CB5815DFB53EAC7F403DC8D11BFE336A545C19A19FFDE1031FA59019507D119E4570DA0D79B95351EAC697F46024B4E558A0FF6349852
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....(............" .........@...............................................P......z.....`A........................................p................@...............@..h&..............p............................................................................rdata..\|........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.619913450163593
Encrypted:	false
SSDEEP:	192:iDGaWqhWhWJWadJCsVWQ4mWd9afKUSIX01k9z3AEXzAU9:i6aWqhWACs92IR9z5EU9
MD5:	1C58526D681EFE507DEB8F1935C75487
SHA1:	0E6D328FAF3563F2AAE029BC5F2272FB7A742672
SHA-256:	EF13DCE8F71173315DFC64AB839B033AB19A968EE15230E9D4D2C9D558EFEEE2
SHA-512:	8EDB9A0022F417648E2ECE9E22C96E2727976332025C3E7D8F15BCF6D7D97E680D1BF008EB28E2E0BD57787DCBB71D38B2DEB995B8EDC35FA6852AB1D593F3D1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....RS.........." .........0...............................................@......;.....`A........................................p...L............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18696
Entropy (8bit):	7.054510010549814
Encrypted:	false
SSDEEP:	384:eVrW1hWbvm0GftpBjzH4m3S9gTlUK3dsl:eVuAViaB/6sl
MD5:	BFFFA7117FD9B1622C66D949BAC3F1D7
SHA1:	402B7B8F8DCFD321B1D12FC85A1EE5137A5569B2
SHA-256:	1EA267A2E6284F17DD548C6F2285E19F7EDB15D6E737A55391140CE5CB95225E
SHA-512:	B319CC7B436B1BE165CDF6FFCAB8A87FE29DE78F7E0B14C8F562BE160481FB5483289BD5956FDC1D8660DA7A3F86D8EEDE35C6CC2B7C3D4C852DECF4B2DCDB7F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...4.F>.........." .........................................................0............`.........................................`................ ...................=..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.625331165566263
Encrypted:	false
SSDEEP:	192:qzWqhWxWJWadJCsVWQ4mW8RJLNVAv+cQ0GX01k9z3ARo8ef3uBJu:qzWqhWwCsjNbZR9zQoEzu
MD5:	E89CDCD4D95CDA04E4ABBA8193A5B492
SHA1:	5C0AEE81F32D7F9EC9F0650239EE58880C9B0337
SHA-256:	1A489E0606484BD71A0D9CB37A1DC6CA8437777B3D67BFC8C0075D0CC59E6238
SHA-512:	55D01E68C8C899E99A3C62C2C36D6BCB1A66FF6ECD2636D2D0157409A1F53A84CE5D6F0C703D5ED47F8E9E2D1C9D2D87CC52585EE624A23D92183062C999B97E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....Hb..........." .........0...............................................@............`A........................................p...`............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.737397647066978
Encrypted:	false
SSDEEP:	192:OdxlZWqhWcWJWadJCsVWQ4mWlhtFyttuX01k9z3A2oD:OdxlZWqhWpCsctkSR9zfoD
MD5:	ACCC640D1B06FB8552FE02F823126FF5
SHA1:	82CCC763D62660BFA8B8A09E566120D469F6AB67
SHA-256:	332BA469AE84AA72EC8CCE2B33781DB1AB81A42ECE5863F7A3CB5A990059594F
SHA-512:	6382302FB7158FC9F2BE790811E5C459C5C441F8CAEE63DF1E09B203B8077A27E023C4C01957B252AC8AC288F8310BCEE5B4DCC1F7FC691458B90CDFAA36DCBE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....B.l.........." .........0...............................................@.......A....`A........................................p................0...............0..x&..............p............................................................................rdata..\|...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.6569647133331316
Encrypted:	false
SSDEEP:	192:dwWqhWWWEXCVWQ4mWLnySfKUSIX01k9z3AEXz5SLaDa3:iWqhWJhY2IR9z5YLt3
MD5:	C6024CC04201312F7688A021D25B056D
SHA1:	48A1D01AE8BC90F889FB5F09C0D2A0602EE4B0FD
SHA-256:	8751D30DF554AF08EF42D2FAA0A71ABCF8C7D17CE9E9FF2EA68A4662603EC500
SHA-512:	D86C773416B332945ACBB95CBE90E16730EF8E16B7F3CCD459D7131485760C2F07E95951AEB47C1CF29DE76AFFEB1C21BDF6D8260845E32205FE8411ED5EFA47
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...}.o..........." .........0...............................................@......v.....`A........................................p................0...............0..h&..............p............................................................................rdata..L...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.882042129450427
Encrypted:	false
SSDEEP:	192:9TvuBL3BBLAWqhWUWEXCVWQ4iWgdCLVx6RMySX01k9z3AzaXQ+BB:9TvuBL3BaWqhW/WSMR9zqaP
MD5:	1F2A00E72BC8FA2BD887BDB651ED6DE5
SHA1:	04D92E41CE002251CC09C297CF2B38C4263709EA
SHA-256:	9C8A08A7D40B6F697A21054770F1AFA9FFB197F90EF1EEE77C67751DF28B7142
SHA-512:	8CF72DF019F9FC9CD22FF77C37A563652BECEE0708FF5C6F1DA87317F41037909E64DCBDCC43E890C5777E6BCFA4035A27AFC1AEEB0F5DEBA878E3E9AEF7B02A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....g..........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.355894399765837
Encrypted:	false
SSDEEP:	384:0naOMw3zdp3bwjGzue9/0jCRrndbnWqhW5lFydVXC4deR9zVj7xR:FOMwBprwjGzue9/0jCRrndbtGydVXC4O
MD5:	724223109E49CB01D61D63A8BE926B8F
SHA1:	072A4D01E01DBBAB7281D9BD3ADD76F9A3C8B23B
SHA-256:	4E975F618DF01A492AE433DFF0DD713774D47568E44C377CEEF9E5B34AAD1210
SHA-512:	19B0065B894DC66C30A602C9464F118E7F84D83010E74457D48E93AACA4422812B093B15247B24D5C398B42EF0319108700543D13F156067B169CCFB4D7B6B7C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...0.&3.........." .........0...............................................@......L0....`A........................................p................0...............0..h&..............p............................................................................rdata..D...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.771309314175772
Encrypted:	false
SSDEEP:	192:L0WqhWTWEXCVWQ4cRWdmjKDUX01k9z3AQyMX/7kn:L0WqhWol1pR9zzDY
MD5:	3C38AAC78B7CE7F94F4916372800E242
SHA1:	C793186BCF8FDB55A1B74568102B4E073F6971D6
SHA-256:	3F81A149BA3862776AF307D5C7FEEF978F258196F0A1BF909DA2D3F440FF954D
SHA-512:	C2746AA4342C6AFFFBD174819440E1BBF4371A7FED29738801C75B49E2F4F94FD6D013E002BAD2AADAFBC477171B8332C8C5579D624684EF1AFBFDE9384B8588
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...`.@f.........." .........0...............................................@......K.....`A........................................p...l............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.7115212149950185
Encrypted:	false
SSDEEP:	192:bWqhWUxWJWadJCsVWQ4mW5iFyttuX01k9z3A2EC:bWqhWUwCs8SR9zfEC
MD5:	321A3CA50E80795018D55A19BF799197
SHA1:	DF2D3C95FB4CBB298D255D342F204121D9D7EF7F
SHA-256:	5476DB3A4FECF532F96D48F9802C966FDEF98EC8D89978A79540CB4DB352C15F
SHA-512:	3EC20E1AC39A98CB5F726D8390C2EE3CD4CD0BF118FDDA7271F7604A4946D78778713B675D19DD3E1EC1D6D4D097ABE9CD6D0F76B3A7DFF53CE8D6DBC146870A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...j............" .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.893761152454321
Encrypted:	false
SSDEEP:	192:dEFP2WqhWVWEXCVWQ4mW68vx6RMySX01k9z3AzapOP:eF+WqhWi6gMR9zqa0
MD5:	0462E22F779295446CD0B63E61142CA5
SHA1:	616A325CD5B0971821571B880907CE1B181126AE
SHA-256:	0B6B598EC28A9E3D646F2BB37E1A57A3DDA069A55FBA86333727719585B1886E
SHA-512:	07B34DCA6B3078F7D1E8EDE5C639F697C71210DCF9F05212FD16EB181AB4AC62286BC4A7CE0D84832C17F5916D0224D1E8AAB210CEEFF811FC6724C8845A74FE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...L.Y..........." .........0...............................................@............`A........................................p...H............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	5.231196901820079
Encrypted:	false
SSDEEP:	192:/Mck1JzX9cKSI0WqhWsWJWadJCsVWQ4mWClLeyttuX01k9z3A2XCJq:Uck1JzNcKSI0WqhWZCsvfSR9zfyk
MD5:	C3632083B312C184CBDD96551FED5519
SHA1:	A93E8E0AF42A144009727D2DECB337F963A9312E
SHA-256:	BE8D78978D81555554786E08CE474F6AF1DE96FCB7FA2F1CE4052BC80C6B2125
SHA-512:	8807C2444A044A3C02EF98CF56013285F07C4A1F7014200A21E20FCB995178BA835C30AC3889311E66BC61641D6226B1FF96331B019C83B6FCC7C87870CCE8C4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....O.j.........." .........0...............................................@......9&....`A........................................p................0...............0..x&..............p............................................................................rdata..d...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.799245167892134
Encrypted:	false
SSDEEP:	192:R0DfIeUWqhWLWJWadJCsVWQ4mWFVyttuX01k9z3A2YHmp:R0DfIeUWqhWiCsLSR9zfYHmp
MD5:	517EB9E2CB671AE49F99173D7F7CE43F
SHA1:	4CCF38FED56166DDBF0B7EFB4F5314C1F7D3B7AB
SHA-256:	57CC66BF0909C430364D35D92B64EB8B6A15DC201765403725FE323F39E8AC54
SHA-512:	492BE2445B10F6BFE6C561C1FC6F5D1AF6D1365B7449BC57A8F073B44AE49C88E66841F5C258B041547FCD33CBDCB4EB9DD3E24F0924DB32720E51651E9286BE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....#..........." .........0...............................................@.......,....`A........................................p................0...............0..x&..............p............................................................................rdata..\...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.587063911311469
Encrypted:	false
SSDEEP:	192:fWqhWeWJWadJCsVWQ4mWMs7DENNVAv+cQ0GX01k9z3ARoIGA/:fWqhWbCs8oNbZR9zQoxS
MD5:	F3FF2D544F5CD9E66BFB8D170B661673
SHA1:	9E18107CFCD89F1BBB7FDAF65234C1DC8E614ADD
SHA-256:	E1C5D8984A674925FA4AFBFE58228BE5323FE5123ABCD17EC4160295875A625F
SHA-512:	184B09C77D079127580EF80EB34BDED0F5E874CEFBE1C5F851D86861E38967B995D859E8491FCC87508930DC06C6BBF02B649B3B489A1B138C51A7D4B4E7AAAD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......e.........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..P...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.754374422741657
Encrypted:	false
SSDEEP:	192:CGeVPWqhWUWJWadJCsVWQ4mWUhSqyttuX01k9z3A2lqn7cq:CGeVPWqhWBCsvoSR9zflBq
MD5:	A0C2DBE0F5E18D1ADD0D1BA22580893B
SHA1:	29624DF37151905467A223486500ED75617A1DFD
SHA-256:	3C29730DF2B28985A30D9C82092A1FAA0CEB7FFC1BD857D1EF6324CF5524802F
SHA-512:	3E627F111196009380D1687E024E6FFB1C0DCF4DCB27F8940F17FEC7EFDD8152FF365B43CB7FDB31DE300955D6C15E40A2C8FB6650A91706D7EA1C5D89319B12
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......Z.........." .........0...............................................@............`A........................................p...<............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.664553499673792
Encrypted:	false
SSDEEP:	192:mZyMvr5WqhWAWJWadJCsVWQ4mWWqpNVAv+cQ0GX01k9z3ARo+GZ:mZyMvlWqhWNCsUpNbZR9zQo+GZ
MD5:	2666581584BA60D48716420A6080ABDA
SHA1:	C103F0EA32EBBC50F4C494BCE7595F2B721CB5AD
SHA-256:	27E9D3E7C8756E4512932D674A738BF4C2969F834D65B2B79C342A22F662F328
SHA-512:	BEFED15F11A0550D2859094CC15526B791DADEA12C2E7CEB35916983FB7A100D89D638FB1704975464302FAE1E1A37F36E01E4BEF5BC4924AB8F3FD41E60BD0C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....I..........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..l...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	5.146069394118203
Encrypted:	false
SSDEEP:	384:vUwidv3V0dfpkXc0vVaCsWqhWjCsa2IR9z5Bk5l:sHdv3VqpkXc0vVaP+U9zzk5l
MD5:	225D9F80F669CE452CA35E47AF94893F
SHA1:	37BD0FFC8E820247BD4DB1C36C3B9F9F686BBD50
SHA-256:	61C0EBE60CE6EBABCB927DDFF837A9BF17E14CD4B4C762AB709E630576EC7232
SHA-512:	2F71A3471A9868F4D026C01E4258AFF7192872590F5E5C66AABD3C088644D28629BA8835F3A4A23825631004B1AFD440EFE7161BB9FC7D7C69E0EE204813CA7B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....x.........." .........0...............................................@.......J....`A........................................p...X............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.834520503429805
Encrypted:	false
SSDEEP:	192:etZ3xWqhWqWJWadJCsVWQ4mWfH/fKUSIX01k9z3AEXz40OY:etZ3xWqhWHCsMH2IR9z5OY
MD5:	1281E9D1750431D2FE3B480A8175D45C
SHA1:	BC982D1C750B88DCB4410739E057A86FF02D07EF
SHA-256:	433BD8DDC4F79AEE65CA94A54286D75E7D92B019853A883E51C2B938D2469BAA
SHA-512:	A954E6CE76F1375A8BEAC51D751B575BBC0B0B8BA6AA793402B26404E45718165199C2C00CCBCBA3783C16BDD96F0B2C17ADDCC619C39C8031BECEBEF428CE77
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@.......w....`A........................................p...x............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.916367637528538
Encrypted:	false
SSDEEP:	192:qaIMFSYWqhWzWJWadJCsVWQ4mW14LyttuX01k9z3A2ClV:qdYWqhWqCsISR9zfCT
MD5:	FD46C3F6361E79B8616F56B22D935A53
SHA1:	107F488AD966633579D8EC5EB1919541F07532CE
SHA-256:	0DC92E8830BC84337DCAE19EF03A84EF5279CF7D4FDC2442C1BC25320369F9DF
SHA-512:	3360B2E2A25D545CCD969F305C4668C6CDA443BBDBD8A8356FFE9FBC2F70D90CF4540F2F28C9ED3EEA6C9074F94E69746E7705E6254827E6A4F158A75D81065B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...~.l-.........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.829681745003914
Encrypted:	false
SSDEEP:	192:HNpWqhW5WJWadJCsVWQ4mWbZyttuX01k9z3A2qkFU:HXWqhW4Cs1SR9zf9U
MD5:	D12403EE11359259BA2B0706E5E5111C
SHA1:	03CC7827A30FD1DEE38665C0CC993B4B533AC138
SHA-256:	F60E1751A6AC41F08E46480BF8E6521B41E2E427803996B32BDC5E78E9560781
SHA-512:	9004F4E59835AF57F02E8D9625814DB56F0E4A98467041DA6F1367EF32366AD96E0338D48FFF7CC65839A24148E2D9989883BCDDC329D9F4D27CAE3F843117D0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...>.os.........." .........0...............................................@............`A........................................p...H............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.612408827336625
Encrypted:	false
SSDEEP:	192:CWqhW+WJWadJCsVWQ4mWprgfKUSIX01k9z3AEXzh:CWqhW7Cs12IR9z5F
MD5:	0F129611A4F1E7752F3671C9AA6EA736
SHA1:	40C07A94045B17DAE8A02C1D2B49301FAD231152
SHA-256:	2E1F090ABA941B9D2D503E4CD735C958DF7BB68F1E9BDC3F47692E1571AAAC2F
SHA-512:	6ABC0F4878BB302713755A188F662C6FE162EA6267E5E1C497C9BA9FDDBDAEA4DB050E322CB1C77D6638ECF1DAD940B9EBC92C43ACAA594040EE58D313CBCFAE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....+..........." .........0...............................................@............`A........................................p...<............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.918215004381039
Encrypted:	false
SSDEEP:	192:OvMWqhWkWJWadJCsVWQ4mWoz/HyttuX01k9z3A21O:JWqhWxCs/SSR9zf1O
MD5:	D4FBA5A92D68916EC17104E09D1D9D12
SHA1:	247DBC625B72FFB0BF546B17FB4DE10CAD38D495
SHA-256:	93619259328A264287AEE7C5B88F7F0EE32425D7323CE5DC5A2EF4FE3BED90D5
SHA-512:	D5A535F881C09F37E0ADF3B58D41E123F527D081A1EBECD9A927664582AE268341771728DC967C30908E502B49F6F853EEAEBB56580B947A629EDC6BCE2340D8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...Aj............" .........0...............................................@......UJ....`A.........................................................0...............0..x&..............p............................................................................rdata..p...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26216
Entropy (8bit):	4.882777558752248
Encrypted:	false
SSDEEP:	192:I9cy5WqhWKWEXCVWQ4mW1pbm6yttuX01k9z3A2jyM:Ry5WqhWdcbmLSR9zfjj
MD5:	EDF71C5C232F5F6EF3849450F2100B54
SHA1:	ED46DA7D59811B566DD438FA1D09C20F5DC493CE
SHA-256:	B987AB40CDD950EBE7A9A9176B80B8FFFC005CCD370BB1CBBCAD078C1A506BDC
SHA-512:	481A3C8DC5BEF793EE78CE85EC0F193E3E9F6CD57868B813965B312BD0FADEB5F4419707CD3004FBDB407652101D52E061EF84317E8BD458979443E9F8E4079A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...U.gJ.........." .........@...............................................P............`A.........................................................@...............@..h&..............p............................................................................rdata..n........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.738587310329139
Encrypted:	false
SSDEEP:	192:TWqhWXWEXCVWQ4mWPXTNyttuX01k9z3A2dGxr:TWqhWMKASR9zfYxr
MD5:	F9235935DD3BA2AA66D3AA3412ACCFBF
SHA1:	281E548B526411BCB3813EB98462F48FFAF4B3EB
SHA-256:	2F6BD6C235E044755D5707BD560A6AFC0BA712437530F76D11079D67C0CF3200
SHA-512:	AD0C0A7891FB8328F6F0CF1DDC97523A317D727C15D15498AFA53C07610210D2610DB4BC9BD25958D47ADC1AF829AD4D7CF8AABCAB3625C783177CCDB7714246
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...9.4o.........." .........0...............................................@......h*....`A............................................"............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.202163846121633
Encrypted:	false
SSDEEP:	192:2pUEpnWlC0i5CBWqhWXLeWEXCVWQ4iW+/x6RMySX01k9z3Aza8Az629:2ptnWm5CBWqhWtWMR9zqaH629
MD5:	5107487B726BDCC7B9F7E4C2FF7F907C
SHA1:	EBC46221D3C81A409FAB9815C4215AD5DA62449C
SHA-256:	94A86E28E829276974E01F8A15787FDE6ED699C8B9DC26F16A51765C86C3EADE
SHA-512:	A0009B80AD6A928580F2B476C1BDF4352B0611BB3A180418F2A42CFA7A03B9F0575ED75EC855D30B26E0CCA96A6DA8AFFB54862B6B9AFF33710D2F3129283FAA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......M4....`A.........................................................0...............0..h&..............p............................................................................rdata..0...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.866983142029453
Encrypted:	false
SSDEEP:	192:0vh8Y17aFBRsWqhW9AWEXCVWQ4mWCB4Lrp0KBQfX01k9z3ALkg5Z7:SL5WqhW9boRxB+R9z2kM7
MD5:	D5D77669BD8D382EC474BE0608AFD03F
SHA1:	1558F5A0F5FACC79D3957FF1E72A608766E11A64
SHA-256:	8DD9218998B4C4C9E8D8B0F8B9611D49419B3C80DAA2F437CBF15BCFD4C0B3B8
SHA-512:	8DEFA71772105FD9128A669F6FF19B6FE47745A0305BEB9A8CADB672ED087077F7538CD56E39329F7DAA37797A96469EAE7CD5E4CCA57C9A183B35BDC44182F3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...."]..........." .........0...............................................@............`A.........................................................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.828044267819929
Encrypted:	false
SSDEEP:	192:dUnWqhWRWJWadJCsVWQ4mW+2PyttuX01k9z3A23y:cWqhWQCsHSR9zf3y
MD5:	650435E39D38160ABC3973514D6C6640
SHA1:	9A5591C29E4D91EAA0F12AD603AF05BB49708A2D
SHA-256:	551A34C400522957063A2D71FA5ABA1CD78CC4F61F0ACE1CD42CC72118C500C0
SHA-512:	7B4A8F86D583562956593D27B7ECB695CB24AB7192A94361F994FADBA7A488375217755E7ED5071DE1D0960F60F255AA305E9DD477C38B7BB70AC545082C9D5E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...6..q.........." .........0...............................................@.......-....`A............................................e............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30328
Entropy (8bit):	5.14173409150951
Encrypted:	false
SSDEEP:	384:r7yaFM4Oe59Ckb1hgmLVWqhW2CsWNbZR9zQoekS:/FMq59Bb1jnoFT9zGp
MD5:	B8F0210C47847FC6EC9FBE2A1AD4DEBB
SHA1:	E99D833AE730BE1FEDC826BF1569C26F30DA0D17
SHA-256:	1C4A70A73096B64B536BE8132ED402BCFB182C01B8A451BFF452EFE36DDF76E7
SHA-512:	992D790E18AC7AE33958F53D458D15BFF522A3C11A6BD7EE2F784AC16399DE8B9F0A7EE896D9F2C96D1E2C8829B2F35FF11FC5D8D1B14C77E22D859A1387797C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................" .........P...............................................`............`A.............................................%...........P...............P..x&..............p............................................................................rdata...'.......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-multibyte-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30312
Entropy (8bit):	4.96699982894665
Encrypted:	false
SSDEEP:	384:PfhhvLPmIHJI6/CpG3t2G3t4odXLVWqhW2ntNbZR9zQo9eZ:xhPmIHJI69VFT9zO
MD5:	075419431D46DC67932B04A8B91A772F
SHA1:	DB2AF49EE7B6BEC379499B5A80BE39310C6C8425
SHA-256:	3A4B66E65A5EE311AFC37157A8101ABA6017FF7A4355B4DD6E6C71D5B7223560
SHA-512:	76287E0003A396CDA84CE6B206986476F85E927A389787D1D273684167327C41FC0FE5E947175C0DEB382C5ACCF785F867D9FCE1FEA4ABD7D99B201E277D1704
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...Y.g..........." .........P...............................................`.......r....`A............................................. ...........P...............P..h&..............p............................................................................rdata..t".......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.883012715268179
Encrypted:	false
SSDEEP:	192:5eXrqjd7ZWqhW3WEXCVWQ4mW3Ql1Lrp0KBQfX01k9z3ALkjY/12:54rgWqhWsP1RxB+R9z2kjY/Y
MD5:	272C0F80FD132E434CDCDD4E184BB1D8
SHA1:	5BC8B7260E690B4D4039FE27B48B2CECEC39652F
SHA-256:	BD943767F3E0568E19FB52522217C22B6627B66A3B71CD38DD6653B50662F39D
SHA-512:	94892A934A92EF1630FBFEA956D1FE3A3BFE687DEC31092828960968CB321C4AB3AF3CAF191D4E28C8CA6B8927FBC1EC5D17D5C8A962C848F4373602EC982CD4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...<SdT.........." .........0...............................................@......N.....`A............................................x............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26208
Entropy (8bit):	5.023753175006074
Encrypted:	false
SSDEEP:	192:4mGqX8mPrpJhhf4AN5/KiFWqhWyzWEXCVWQ4OW4034hHssDX01k9z3AaYX2cWo:4ysyr77WqhWyI0oFDR9z9YH9
MD5:	20C0AFA78836B3F0B692C22F12BDA70A
SHA1:	60BB74615A71BD6B489C500E6E69722F357D283E
SHA-256:	962D725D089F140482EE9A8FF57F440A513387DD03FDC06B3A28562C8090C0BC
SHA-512:	65F0E60136AB358661E5156B8ECD135182C8AAEFD3EC320ABDF9CFC8AEAB7B68581890E0BBC56BAD858B83D47B7A0143FA791195101DC3E2D78956F591641D16
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....TR.........." .........@...............................................P......D!....`A............................................4............@...............@..`&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26232
Entropy (8bit):	5.289041983400337
Encrypted:	false
SSDEEP:	192:UuV2OlkuWYFxEpahfWqhWNWJWadJCsVWQ4mWeX9UfKUSIX01k9z3AEXzGd5S:dV2oFVhfWqhWMCstE2IR9z5Sd5S
MD5:	96498DC4C2C879055A7AFF2A1CC2451E
SHA1:	FECBC0F854B1ADF49EF07BEACAD3CEC9358B4FB2
SHA-256:	273817A137EE049CBD8E51DC0BB1C7987DF7E3BF4968940EE35376F87EF2EF8D
SHA-512:	4E0B2EF0EFE81A8289A447EB48898992692FEEE4739CEB9D87F5598E449E0059B4E6F4EB19794B9DCDCE78C05C8871264797C14E4754FD73280F37EC3EA3C304
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...k. U.........." .........@...............................................P............`A............................................a............@...............@..x&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26232
Entropy (8bit):	5.284932479906984
Encrypted:	false
SSDEEP:	384:tCLx0C5yguNvZ5VQgx3SbwA7yMVIkFGlTWqhWbQCsMSR9zful:tCV5yguNvZ5VQgx3SbwA71IkFGqHe9zI
MD5:	115E8275EB570B02E72C0C8A156970B3
SHA1:	C305868A014D8D7BBEF9ABBB1C49A70E8511D5A6
SHA-256:	415025DCE5A086DBFFC4CF322E8EAD55CB45F6D946801F6F5193DF044DB2F004
SHA-512:	B97EF7C5203A0105386E4949445350D8FF1C83BDEAEE71CCF8DC22F7F6D4F113CB0A9BE136717895C36EE8455778549F629BF8D8364109185C0BF28F3CB2B2CA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.... .h.........." .........@...............................................P......\.....`A.........................................................@...............@..x&..............p............................................................................rdata.._........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-time-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.253102285412285
Encrypted:	false
SSDEEP:	192:mt3hwDGWqhWrWEXCVWQ4mWn+deyttuX01k9z3A23x:AWqhWgPSR9zfh
MD5:	001E60F6BBF255A60A5EA542E6339706
SHA1:	F9172EC37921432D5031758D0C644FE78CDB25FA
SHA-256:	82FBA9BC21F77309A649EDC8E6FC1900F37E3FFCB45CD61E65E23840C505B945
SHA-512:	B1A6DC5A34968FBDC8147D8403ADF8B800A06771CC9F15613F5CE874C29259A156BAB875AAE4CAAEC2117817CE79682A268AA6E037546AECA664CD4EEA60ADBF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...G............" .........0...............................................@.......&....`A.........................................................0...............0..h&..............p............................................................................rdata..=...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\api-ms-win-crt-utility-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.810971823417463
Encrypted:	false
SSDEEP:	192:p/fHQduDWqhWJWJWadJCsVWQ4mWxrnyttuX01k9z3A2Yv6WT:p/ftWqhWoCsmySR9zfYvvT
MD5:	A0776B3A28F7246B4A24FF1B2867BDBF
SHA1:	383C9A6AFDA7C1E855E25055AAD00E92F9D6AAFF
SHA-256:	2E554D9BF872A64D2CD0F0EB9D5A06DEA78548BC0C7A6F76E0A0C8C069F3C0A9
SHA-512:	7C9F0F8E53B363EF5B2E56EEC95E7B78EC50E9308F34974A287784A1C69C9106F49EA2D9CA037F0A7B3C57620FCBB1C7C372F207C68167DF85797AFFC3D7F3BA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......^.....`A............................................^............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\attrs-24.2.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI70282\attrs-24.2.0.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	Unicode text, UTF-8 text, with very long lines (411)
Category:	dropped
Size (bytes):	11524
Entropy (8bit):	5.211520136058075
Encrypted:	false
SSDEEP:	192:ERsUfi6bkQk+k/kKkegToJWicnJsPVA1oz2dv7COmoKTACoEJdQ/0G6lWg+JdQV5:ERsXpLs3VoJWRnJsPvz2dDCHoKsLgA6z
MD5:	49CABCB5F8DA14C72C8C3D00ADB3C115
SHA1:	F575BECF993ECDF9C6E43190C1CB74D3556CF912
SHA-256:	DC9824E25AFD635480A8073038B3CDFE6A56D3073A54E1A6FB21EDD4BB0F207C
SHA-512:	923DAEEE0861611D230DF263577B3C382AE26400CA5F1830EE309BD6737EED2AD934010D61CDD4796618BEDB3436CD772D9429A5BED0A106EF7DE60E114E505C
Malicious:	false
Preview:	Metadata-Version: 2.3.Name: attrs.Version: 24.2.0.Summary: Classes Without Boilerplate.Project-URL: Documentation, https://www.attrs.org/.Project-URL: Changelog, https://www.attrs.org/en/stable/changelog.html.Project-URL: GitHub, https://github.com/python-attrs/attrs.Project-URL: Funding, https://github.com/sponsors/hynek.Project-URL: Tidelift, https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi.Author-email: Hynek Schlawack <hs@ox.cx>.License-Expression: MIT.License-File: LICENSE.Keywords: attribute,boilerplate,class.Classifier: Development Status :: 5 - Production/Stable.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Classifier: Programming Languag

C:\Users\user\AppData\Local\Temp\_MEI70282\attrs-24.2.0.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	3556
Entropy (8bit):	5.810477636970161
Encrypted:	false
SSDEEP:	96:Q9ewrFmJT/oPynEddwBbCobXm9qGmR5VXzskCGD+qLtxO:2ewBoJCKXGeR/XzIiO
MD5:	8037E693EAFED6C3D0CCE916BABB50C4
SHA1:	2321392AAB7AE3A6A78248E5D5F454124D368EC1
SHA-256:	688073F6556808D9139FEA52BEC3802D8C0D7CE07978B98AAE8DB5C98FACC0DF
SHA-512:	95B9E6B8F946D2617098C338441AFC5A555FF208947D5731E09EE17B959655161C397F57E14827A95A8FD4554DE8C6E426DC316F858510AE4AA7CA8723C4CF51
Malicious:	false
Preview:	attr/__init__.py,sha256=l8Ewh5KZE7CCY0i1iDfSCnFiUTIkBVoqsXjX9EZnIVA,2087..attr/__init__.pyi,sha256=aTVHBPX6krCGvbQvOl_UKqEzmi2HFsaIVm2WKmAiqVs,11434..attr/__pycache__/__init__.cpython-311.pyc,,..attr/__pycache__/_cmp.cpython-311.pyc,,..attr/__pycache__/_compat.cpython-311.pyc,,..attr/__pycache__/_config.cpython-311.pyc,,..attr/__pycache__/_funcs.cpython-311.pyc,,..attr/__pycache__/_make.cpython-311.pyc,,..attr/__pycache__/_next_gen.cpython-311.pyc,,..attr/__pycache__/_version_info.cpython-311.pyc,,..attr/__pycache__/converters.cpython-311.pyc,,..attr/__pycache__/exceptions.cpython-311.pyc,,..attr/__pycache__/filters.cpython-311.pyc,,..attr/__pycache__/setters.cpython-311.pyc,,..attr/__pycache__/validators.cpython-311.pyc,,..attr/_cmp.py,sha256=3umHiBtgsEYtvNP_8XrQwTCdFoZIX4DEur76N-2a3X8,4123..attr/_cmp.pyi,sha256=U-_RU_UZOyPUEQzXE6RMYQQcjkZRY25wTH99sN0s7MM,368..attr/_compat.py,sha256=n2Uk3c-ywv0PkFfGlvqR7SzDXp4NOhWmNV_ZK6YfWoM,2958..attr/_config.py,sha256=z81Vt-GeT_2taxs1XZfmHx9TWlSxjP

C:\Users\user\AppData\Local\Temp\_MEI70282\attrs-24.2.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	87
Entropy (8bit):	4.730668933656452
Encrypted:	false
SSDEEP:	3:RtEeXAaCTQnP+tPCCfA5I:Rt2PcnWBB3
MD5:	52ADFA0C417902EE8F0C3D1CA2372AC3
SHA1:	B67635615EEF7E869D74F4813B5DC576104825DD
SHA-256:	D7215D7625CC9AF60AED0613AAD44DB57EBA589D0CCFC3D8122114A0E514C516
SHA-512:	BFA87E7B0E76E544C2108EF40B9FAC8C5FF4327AB8EDE9FEB2891BD5D38FEA117BD9EEBAF62F6C357B4DEADDAD5A5220E0B4A54078C8C2DE34CB1DD5E00F2D62
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: hatchling 1.25.0.Root-Is-Purelib: true.Tag: py3-none-any.

C:\Users\user\AppData\Local\Temp\_MEI70282\attrs-24.2.0.dist-info\licenses\LICENSE

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1109
Entropy (8bit):	5.104415762129373
Encrypted:	false
SSDEEP:	24:bGf8rUrmJHHH0yN3gtsHw1hC09QHOsUv4eOk4/+/m3oqLFh:bW8rUaJHlxE3dQHOs5exm3ogFh
MD5:	5E55731824CF9205CFABEAB9A0600887
SHA1:	243E9DD038D3D68C67D42C0C4BA80622C2A56246
SHA-256:	882115C95DFC2AF1EEB6714F8EC6D5CBCABF667CAFF8729F42420DA63F714E9F
SHA-512:	21B242BF6DCBAFA16336D77A40E69685D7E64A43CC30E13E484C72A93CD4496A7276E18137DC601B6A8C3C193CB775DB89853ECC6D6EB2956DEEE36826D5EBFE
Malicious:	false
Preview:	The MIT License (MIT)..Copyright (c) 2015 Hynek Schlawack and the attrs contributors..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in all.copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHE

C:\Users\user\AppData\Local\Temp\_MEI70282\base_library.zip

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1440734
Entropy (8bit):	5.590363711484859
Encrypted:	false
SSDEEP:	24576:mQR5pATG8/R5lUKdcubgAnyfb8hd0iwhJdYf9PyetHHA:mQR5pE/RbVc
MD5:	34A1E9C9033D4DBEC9AA8FCE5CF8403F
SHA1:	B6379C9E683CF1B304F5027CF42040892799F377
SHA-256:	4C21ADBCC2A8D8ADC1D4B693017C6276B03CB505BB810F46709D75AC3FB77668
SHA-512:	CEDC5735ECF29A50BADE26040C39B5511E18E6D0A921B05E51EF1C1391B64C43F6D0944DE51E88FAD5A62DB8391C80FBE2D9673FB524F92EA0DBD55E659AC3D6
Malicious:	false
Preview:	PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

C:\Users\user\AppData\Local\Temp\_MEI70282\certifi\cacert.pem

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI70282\charset_normalizer\md.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.8208567868970675
Encrypted:	false
SSDEEP:	96:Y0fK74ACb0xx2uKynu10YLsgxwJiUNiL0U5IZsJFPGDtCFuCQAAZWQcX6g8H4a81:gFCk2z1/t12iwU5usJFKCyHcqgg
MD5:	CBF62E25E6E036D3AB1946DBAFF114C1
SHA1:	B35F91EAF4627311B56707EF12E05D6D435A4248
SHA-256:	06032E64E1561251EA3035112785F43945B1E959A9BF586C35C9EA1C59585C37
SHA-512:	04B694D0AE99D5786FA19F03C5B4DD8124C4F9144CFE7CA250B48A3C0DE0883E06A6319351AE93EA95B55BBBFA69525A91E9407478E40AD62951F1D63D45FF18
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................X......o..............o.......o.......o......j..............n......n......n4.....n......Rich....................PE..d....#.g.........." ...).....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	121344
Entropy (8bit):	5.899699901799497
Encrypted:	false
SSDEEP:	3072:3Ives1m094QtwqlaZTwuQMS/Pf+vGTVmEU:3PsQIJmE
MD5:	BAC273806F46CFFB94A84D7B4CED6027
SHA1:	773FBC0435196C8123EE89B0A2FC4D44241FF063
SHA-256:	1D9ABA3FF1156EA1FBE10B8AA201D4565AE6022DAF2117390D1D8197B80BB70B
SHA-512:	EAEC1F072C2C0BC439AC7B4E3AEA6E75C07BD4CD2D653BE8500BBFFE371FBFE045227DAEAD653C162D972CCAADFF18AC7DA4D366D1200618B0291D76E18B125C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........yB............................................................................................Rich...........................PE..d....#.g.........." ...).2..........@4.......................................0............`.............................................d...d...................p............ ......@...................................@............P...............................text...x0.......2.................. ..`.rdata...Y...P...Z...6..............@..@.data....=.......0..................@....pdata..p...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\cryptography-43.0.3.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI70282\cryptography-43.0.3.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	5440
Entropy (8bit):	5.074230645519915
Encrypted:	false
SSDEEP:	96:DloQIUQIhQIKQILbQIRIaMPktjaVxsxA2TLLDmplH7dwnqTIvrUmA0JQTQCQx5KN:RcPuP1srTLLDmplH7JTIvYX0JQTQ9x54
MD5:	C891CD93024AF027647E6DE89D0FFCE2
SHA1:	01D8D6F93F1B922A91C82D4711BCEFB885AD47B0
SHA-256:	EB36E0E4251E8479EF36964440755EF22BEDD411BA87A93F726FA8E5BB0E64B0
SHA-512:	3386FBB3DCF7383B2D427093624C531C50BE34E3E0AA0984547B953E04776D0D431D5267827F4194A9B0AD1AB897869115623E802A6A1C5D2AE1AD82C96CCE71
Malicious:	false
Preview:	Metadata-Version: 2.3.Name: cryptography.Version: 43.0.3.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: License :: OSI Approved :: BSD License.Classifier: Natural Language :: English.Classifier: Operating System :: MacOS :: MacOS X.Classifier: Operating System :: POSIX.Classifier: Operating System :: POSIX :: BSD.Classifier: Operating System :: POSIX :: Linux.Classifier: Operating System :: Microsoft :: Windows.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Classif

C:\Users\user\AppData\Local\Temp\_MEI70282\cryptography-43.0.3.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	15485
Entropy (8bit):	5.562409393703148
Encrypted:	false
SSDEEP:	192:1XxTBjWz5jF4ELZVhXau4WPE6FGotqw++NX6in55qw/n+B:1XXjWhCEJaiPE6FGotqw++96in5+B
MD5:	13F4AAA0BE473C30F1FCFE7C1E5CC75C
SHA1:	D542DDD6490DE41A96F53579F021EE633B32A4AA
SHA-256:	5AC071DBE59CB47B67628486C36D8E477CB152A2120147B94197EA5142EC3804
SHA-512:	E4E19893A650F91706A472875C398D014AB103D55D065F3D6E9E3AF24AE8D12B87D61C1D1C9C040819E1B9F19A88850780DBA1ED49D380A6273D164169013040
Malicious:	false
Preview:	cryptography-43.0.3.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-43.0.3.dist-info/METADATA,sha256=6zbg5CUehHnvNpZEQHVe8ivt1BG6h6k_cm-o5bsOZLA,5440..cryptography-43.0.3.dist-info/RECORD,,..cryptography-43.0.3.dist-info/WHEEL,sha256=8_4EnrLvbhzH224YH8WypoB7HFn-vpbwr_zHlr3XUBI,94..cryptography-43.0.3.dist-info/license_files/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-43.0.3.dist-info/license_files/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-43.0.3.dist-info/license_files/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography/__about__.py,sha256=-FkHKD9mSuEfH37wsSKnQzJZmL5zUAUTpB5OeUQjPE0,445..cryptography/__init__.py,sha256=mthuUrTd4FROCpUYrTIqhjz6s6T9djAZrV7nZ1oMm2o,364..cryptography/__pycache__/__about__.cpython-311.pyc,,..cryptography/__pycache__/__init__.cpython-311.pyc,,..cryptography/__pycache__/exceptions.cpython-311.pyc,,..cryptography/__p

C:\Users\user\AppData\Local\Temp\_MEI70282\cryptography-43.0.3.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	5.016084900984752
Encrypted:	false
SSDEEP:	3:RtEeX5pGogP+tkKciH/KQb:RtvoTWKTQb
MD5:	C869D30012A100ADEB75860F3810C8C9
SHA1:	42FD5CFA75566E8A9525E087A2018E8666ED22CB
SHA-256:	F3FE049EB2EF6E1CC7DB6E181FC5B2A6807B1C59FEBE96F0AFFCC796BDD75012
SHA-512:	B29FEAF6587601BBE0EDAD3DF9A87BFC82BB2C13E91103699BABD7E039F05558C0AC1EF7D904BCFAF85D791B96BC26FA9E39988DD83A1CE8ECCA85029C5109F0
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: maturin (1.7.0).Root-Is-Purelib: false.Tag: cp39-abi3-win_amd64.

C:\Users\user\AppData\Local\Temp\_MEI70282\cryptography-43.0.3.dist-info\license_files\LICENSE

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	197
Entropy (8bit):	4.61968998873571
Encrypted:	false
SSDEEP:	3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
MD5:	8C3617DB4FB6FAE01F1D253AB91511E4
SHA1:	E442040C26CD76D1B946822CAF29011A51F75D6D
SHA-256:	3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
SHA-512:	77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
Malicious:	false
Preview:	This software is made available under the terms of either of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of both these licenses..

C:\Users\user\AppData\Local\Temp\_MEI70282\cryptography-43.0.3.dist-info\license_files\LICENSE.APACHE

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11360
Entropy (8bit):	4.426756947907149
Encrypted:	false
SSDEEP:	192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
MD5:	4E168CCE331E5C827D4C2B68A6200E1B
SHA1:	DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
SHA-256:	AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
SHA-512:	F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

C:\Users\user\AppData\Local\Temp\_MEI70282\cryptography-43.0.3.dist-info\license_files\LICENSE.BSD

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1532
Entropy (8bit):	5.058591167088024
Encrypted:	false
SSDEEP:	24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
MD5:	5AE30BA4123BC4F2FA49AA0B0DCE887B
SHA1:	EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
SHA-256:	602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
SHA-512:	DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
Malicious:	false
Preview:	Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

C:\Users\user\AppData\Local\Temp\_MEI70282\cryptography\hazmat\bindings\_rust.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7834624
Entropy (8bit):	6.517862303223651
Encrypted:	false
SSDEEP:	49152:oFNZj7fIo9W67PapgzJTkrXyzNzpXAbuiqCgIns3mYEXEqMrIU6i7GtlqdVwASO/:QI9X/gIFYEXME+oFNr5VQCJheq4BsxH
MD5:	BFD28B03A4C32A9BCB001451FD002F67
SHA1:	DD528FD5F4775E16B2E743D3188B66F1174807B2
SHA-256:	8EF0F404A8BFF12FD6621D8F4F209499613F565777FE1C2A680E8A18F312D5A7
SHA-512:	6DC39638435F147B399826E34F78571D7ED2ED1232275E213A2B020224C0645E379F74A0CA5DE86930D3348981C8BB03BBBECFA601F8BA781417E7114662DDEE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.b.6...6...6...?..$...&9..4...&9..2...&9..>...&9..'...}...8...Y<..5...6...2...~8..I...6.......~8..7...~8..7...Rich6...........PE..d......g.........." ...)..Y..$........W.......................................w...........`..........................................q.....l.q.............. s...............w......zi.T....................{i.(...Pyi.@.............Y..............................text...k.Y.......Y................. ..`.rdata...A....Y..B....Y.............@..@.data...@+....q.......q.............@....pdata....... s.......r.............@..@.reloc........w.......v.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\frozenlist\_frozenlist.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	87040
Entropy (8bit):	5.923038424678
Encrypted:	false
SSDEEP:	1536:qundZwmaApD60dSpyT4DIk54S85QwvpC/vNZAg:nLwUpzAczh+wvpqvNZP
MD5:	E8CADECD9A3684DBA357FC0489C62492
SHA1:	4C488D097A85F9BC61F842E3DCF42E228B9885B3
SHA-256:	02053F53EB078BE1488735878DC68524F0E103342250A09EECAE3533D8E9C770
SHA-512:	2443C90931A9AD672938D13C60FDB564EE8AA9FCA85E0426445CE36C395AC9675B6F6488518FF16071731CF8E9A0C2F8DD3182120FD9A7DAF6FD2EE813D2C781
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.5...f...f...f.dDf...f...g...f.d.g...f...g...f...g...f...g...f..g...f...f2..f..g...f..g...f.(f...f..g...fRich...f................PE..d......g.........." ...).....v............................................................`.........................................`7..h....7..x............p..X....................&..............................`%..@...............@............................text............................... ..`.rdata...J.......L..................@..@.data........P.......6..............@....pdata..X....p.......D..............@..@.rsrc................P..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5162776
Entropy (8bit):	5.958207976652471
Encrypted:	false
SSDEEP:	98304:S3+FRtLtlVriXpshX179Cahd4tC9P1+1CPwDvt3uFlDCi:ASRtLtvd99Cahd4tC9w1CPwDvt3uFlDz
MD5:	51E8A5281C2092E45D8C97FBDBF39560
SHA1:	C499C810ED83AAADCE3B267807E593EC6B121211
SHA-256:	2A234B5AA20C3FAECF725BBB54FB33F3D94543F78FA7045408E905593E49960A
SHA-512:	98B91719B0975CB38D3B3C7B6F820D184EF1B64D38AD8515BE0B8B07730E2272376B9E51631FE9EFD9B8A1709FEA214CF3F77B34EEB9FD282EB09E395120E7CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d...x..e.........." ...#..6..*......v.........................................O.......O...`.........................................0.G.0.....M.@....0N.\|.....K.\.....N../...@N.....PsC.8............................qC.@.............M..............................text...4.6.......6................. ..`.rdata..`.....6.......6.............@..@.data....n....J..<....J.............@....pdata........K.......J.............@..@.idata...%....M..&....M.............@..@.00cfg..u.... N.......M.............@..@.rsrc...\|....0N.......M.............@..@.reloc..k....@N.......M.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	790296
Entropy (8bit):	5.607732992846443
Encrypted:	false
SSDEEP:	6144:7aO1lo7USZGjweMMHO4+xuVg7gCl2VdhMd1DdwMVn4TERUr3zgKpJJ/wknofFe9A:FkeMKOr97gCAE35gEGzLpwknofFe9XbE
MD5:	BFC834BB2310DDF01BE9AD9CFF7C2A41
SHA1:	FB1D601B4FCB29FF1B13B0D2ED7119BD0472205C
SHA-256:	41AD1A04CA27A7959579E87FBBDA87C93099616A64A0E66260C983381C5570D1
SHA-512:	6AF473C7C0997F2847EBE7CEE8EF67CD682DEE41720D4F268964330B449BA71398FDA8954524F9A97CC4CDF9893B8BDC7A1CF40E9E45A73F4F35A37F31C6A9C3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T..T..T..].3.Z....V......V....X....\....P....W..T..I....e....U.._.U....U..RichT..........PE..d......e.........." ...#.6..........K........................................0.......w....`..........................................w...Q..............s.... ..pM......./......`... ...8...............................@............................................text....4.......6.................. ..`.rdata...y...P...z...:..............@..@.data....N.......H..................@....pdata..XV... ...X..................@..@.idata..bc.......d...T..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..?...........................@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\lz4-4.3.3.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI70282\lz4-4.3.3.dist-info\LICENSE

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1523
Entropy (8bit):	5.162397061365918
Encrypted:	false
SSDEEP:	24:oY3UnzobbOmFTVJcFTzA6GLQrBTP49H432sZEOkHs8nRO632smyxtTfr10VZlQfS:ROmJIJzSEP6H432smp32smEtP10VwHy
MD5:	2F7382E069BEAC97D607124540FD5661
SHA1:	1684541BA4AF5542BA7E6490C25882CA125A1C47
SHA-256:	A7D65D1DD4DCC86DCA5D17D46AA4A1C77669C9B72F55F298E9E2212F2905C0CF
SHA-512:	4BD08A47B9B67098E38895E96136B3A5EE4711DEF8EB6AC87B522F2A024FC7F22EA4B53E048C2BB3F636EA81CD0814B53B4E20361EBC1A8CDE1C8E57F7A76089
Malicious:	false
Preview:	Copyright (c) 2012-2013, Steeve Morin..All rights reserved.....Redistribution and use in source and binary forms, with or without..modification, are permitted provided that the following conditions are met:....1. Redistributions of source code must retain the above copyright notice,.. this list of conditions and the following disclaimer.....2. Redistributions in binary form must reproduce the above copyright notice,.. this list of conditions and the following disclaimer in the documentation.. and/or other materials provided with the distribution.....3. Neither the name of Steeve Morin nor the names of its contributors may be.. used to endorse or promote products derived from this software without.. specific prior written permission.....THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"..AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE..IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE..ARE DISCLAIMED.

C:\Users\user\AppData\Local\Temp\_MEI70282\lz4-4.3.3.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3758
Entropy (8bit):	5.092767270997029
Encrypted:	false
SSDEEP:	96:DdPHo8lGovhSaWMqCBAInB8fhfxF914CAXTzbIYB/HF4s1LWlAjC:tHoczVBAu6fhft15AzjlLLC
MD5:	3D855AD86A99255B3248D88C524148FC
SHA1:	1ADBA31F74CC4BA33AD9AE31EE29CABA66EB4D93
SHA-256:	612E3D4394DFDCA3E93C74FF02ABC012757279F7BA879D875BEE58F643A45FFE
SHA-512:	99E0C5E2DD734CBB653FDFC80C8F568EEEFAAAEF83BA92431DCE97770077759A0550FA6FC58EC3F86C67774CA9F02C0EC33164B4471DB2D659202979C868A4EF
Malicious:	false
Preview:	Metadata-Version: 2.1..Name: lz4..Version: 4.3.3..Summary: LZ4 Bindings for Python..Home-page: https://github.com/python-lz4/python-lz4..Author: Jonathan Underwood..Author-email: jonathan.underwood@gmail.com..Classifier: Development Status :: 5 - Production/Stable..Classifier: License :: OSI Approved :: BSD License..Classifier: Intended Audience :: Developers..Classifier: Programming Language :: C..Classifier: Programming Language :: Python..Classifier: Programming Language :: Python :: 3.8..Classifier: Programming Language :: Python :: 3.9..Classifier: Programming Language :: Python :: 3.10..Classifier: Programming Language :: Python :: 3.11..Classifier: Programming Language :: Python :: 3.12..Requires-Python: >=3.8..License-File: LICENSE..Provides-Extra: docs..Requires-Dist: sphinx >=1.6.0 ; extra == 'docs'..Requires-Dist: sphinx-bootstrap-theme ; extra == 'docs'..Provides-Extra: flake8..Requires-Dist: flake8 ; extra == 'flake8'..Provides-Extra: tests..Requires-Dist: pytest !=3.3.0 ;

C:\Users\user\AppData\Local\Temp\_MEI70282\lz4-4.3.3.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	5.865132521742272
Encrypted:	false
SSDEEP:	24:on/2zDBvNGAt5OjUyWolSl1xp++ihiB5YJ+SdX54nhOZH58lFc:onuXBZqjUhocllkiHYA+54nYZH5iFc
MD5:	5767B79313C4C7634B59A06B711F4A2F
SHA1:	906B83790268C9042874E5E05DC7C0CF57106E1C
SHA-256:	BB6AB4126ED02B0B83CC89FCF371C9D5F4BC927DE87632245007569ED49F6D3D
SHA-512:	8B93C1D32CD84AAC9B0E5358B84A498C524FD45E365CE088AA3A8A0D8D1B4916B053A1628BAE63111C13AFFFD367CF5AFA3437106F83968B11F34E9A1E5D8BB6
Malicious:	false
Preview:	lz4-4.3.3.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..lz4-4.3.3.dist-info/LICENSE,sha256=p9ZdHdTcyG3KXRfUaqShx3ZpybcvVfKY6eIhLykFwM8,1523..lz4-4.3.3.dist-info/METADATA,sha256=YS49Q5Tf3KPpPHT_AqvAEnVyefe6h52HW-5Y9kOkX_4,3758..lz4-4.3.3.dist-info/RECORD,,..lz4-4.3.3.dist-info/WHEEL,sha256=ircjsfhzblqgSzO8ow7-0pXK-RVqDqNRGQ8F650AUNM,102..lz4-4.3.3.dist-info/top_level.txt,sha256=cX6_gxFUdNSo40TfxrGpTCgu7epGm3yW3m2k7irTDzI,4..lz4/__init__.py,sha256=e_8j-K4TJx38qcPNjoZP_pNDo8IpE4D2ZWl4p50iV_8,646..lz4/__pycache__/__init__.cpython-311.pyc,,..lz4/__pycache__/version.cpython-311.pyc,,..lz4/_version.cp311-win_amd64.pyd,sha256=BXu927P5cO4vjggWtfvZIvPt6wgmoQUK9Cd_j9ngmks,11264..lz4/block/__init__.py,sha256=DSUbS7zMlKKeLs8JO9riOBO5Q_lVoSB-nwgjfhBeXt0,71..lz4/block/__pycache__/__init__.cpython-311.pyc,,..lz4/block/_block.cp311-win_amd64.pyd,sha256=N8neJ86OtjJrV98ODkd4GPyX1va57JBvAp6OU41xM9c,76800..lz4/frame/__init__.py,sha256=ZnJ4sJ1HStPpmJpo0q_CGm9fDEui3Tt3V8DmMi68SZM,

C:\Users\user\AppData\Local\Temp\_MEI70282\lz4-4.3.3.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	102
Entropy (8bit):	5.0254896858991245
Encrypted:	false
SSDEEP:	3:RtEeX7MWcSlVlbY3KgP+tkKcfxLQLn:RtBMwlVCxWK5NQLn
MD5:	4F7020292A2B5B7F3BCC9B1F5B5AFEB4
SHA1:	D2C2D48CCB76629F7604B9881357F129D76F635F
SHA-256:	8AB723B1F8736E5AA04B33BCA30EFED295CAF9156A0EA351190F05EB9D0050D3
SHA-512:	4D7598EEC10105C1826732DC78FC89850A7343B733A5441DDB53606F8BA7A15C8F058C6C9C0C0EE99951B383BB30C94279FDCE7F0E588A70367DC46D3C672E20
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp311-cp311-win_amd64..

C:\Users\user\AppData\Local\Temp\_MEI70282\lz4-4.3.3.dist-info\top_level.txt

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:fn:f
MD5:	194B36A8466E4650490040D599B09C0E
SHA1:	4CB4A2C46E9892B8A712716F9B42537D1962BBB4
SHA-256:	717EBF83115474D4A8E344DFC6B1A94C282EEDEA469B7C96DE6DA4EE2AD30F32
SHA-512:	C55B2D3D46EC558533B4019DFFA87B1F93E7866DBCDE8D00243D8C54F1A3094933256BD25EAA0333D6EC4B308F1A4C92630BBEF6E10BE7892774DCCF5556FE77
Malicious:	false
Preview:	lz4.

C:\Users\user\AppData\Local\Temp\_MEI70282\lz4\_version.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.696226726378701
Encrypted:	false
SSDEEP:	96:VkW+7TRSsA2zVJoYeEw0VTmrgJyUCN5XsMtEZqfH/OZYUo8/NcX6gZYPV:KHRSsvZJ5YNRZEZqn0YUHNcqg4
MD5:	44229B69D9EE7308DA5D880081A1CB75
SHA1:	AEF85718A2658629A7FB399E3D4AED0001409182
SHA-256:	057BBDDBB3F970EE2F8E0816B5FBD922F3EDEB0826A1050AF4277F8FD9E09A4B
SHA-512:	0622A64DA707BCF8EE5E2EA48EFACC3EBB70A4DB16F50DD26DD407AAFC178D0AB443651F38B67B1423C4024E5C1D339509049FB0D2C759659AB980B92D8F9F66
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y7..8Y..8Y..8Y..@...8Y..GX..8Y.@X..8Y..G\..8Y..G]..8Y..GZ..8Y.7EX..8Y..8X..8Y..Q..8Y..Y..8Y.....8Y..[..8Y.Rich.8Y.........................PE..d....@.e.........." ...%.....................................................p............`.........................................p..`......d....P.......@...............`..D...p%..............................0$..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..D....`.......*..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\lz4\block\_block.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	76800
Entropy (8bit):	6.201674022552313
Encrypted:	false
SSDEEP:	1536:+V4xVkjuE0OoP2gFMg/Bc/0amC8p7g4PvjmfO3+oO3h7Xxtu:Pxyjp4Pnfc/ypEaL+O3+oo9Xxtu
MD5:	910C0ED11E93D4EF003ED0065A31164A
SHA1:	CE3D5B6B289F77F95AF3B60B436FBD9CE821AF2F
SHA-256:	37C9DE27CE8EB6326B57DF0E0E477818FC97D6F6B9EC906F029E8E538D7133D7
SHA-512:	6D9A9C17B22815B3453E4CA42BC1579448B175F55CC52ECE876F20699BC5DA193E075E86A9B063745797F39D988C457ED56B997DF023EAE9F68BD31E7543F2FE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r?Xk6^686^686^68?&.80^68#!794^68}&794^68#!39:^68#!29>^68#!592^68.#795^686^78.^68..>95^68..697^68...87^68..497^68Rich6^68................PE..d....@.e.........." ...%.....8............................................................`..........................................-..\....-.......`.......P..P............p..d....$..............................@#..@............................................text...(........................... ..`.rdata...$.......&..................@..@.data...p....@....... ..............@....pdata..P....P......."..............@..@.rsrc........`.......(..............@..@.reloc..d....p.......*..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\multidict\_multidict.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	47616
Entropy (8bit):	5.315276044408234
Encrypted:	false
SSDEEP:	768:j2vE6F6hmSrnDe651sYEYMXB/6BvE6n0/d3g:jAoVDeWlE5/6BvDni
MD5:	ECC0B2FCDA0485900F4B72B378FE4303
SHA1:	40D9571B8927C44AF39F9D2AF8821F073520E65A
SHA-256:	BCBB43CE216E38361CB108E99BAB86AE2C0F8930C86D12CADFCA703E26003CB1
SHA-512:	24FD07EB0149CB8587200C055F20FF8C260B8E626693C180CBA4E066194BED7E8721DDE758B583C93F7CB3D691B50DE6179BA86821414315C17B3D084D290E70
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~..T:l..:l..:l..3.?.8l....8l..q...8l....9l....2l....6l..U..9l..:l..Ll..r..;l..r..;l..r.S.;l..r..;l..Rich:l..........................PE..d...;}.f.........." ...).\...`......`^....................................................`.............................................d.......d...............................L.......................................@............p...............................text....Z.......\.................. ..`.rdata...,...p.......`..............@..@.data....#..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..L...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\propcache\_helpers_c.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	74752
Entropy (8bit):	5.864853826664042
Encrypted:	false
SSDEEP:	1536:kvue4NaxmMtgkBiNWXT+z6eNO/oNJ67bScEq:kvuezmMtgSyWD4NsnbScE
MD5:	04444380B89FB22B57E6A72B3AE42048
SHA1:	CFE9C662CB5CA1704E3F0763D02E0D59C5817D77
SHA-256:	D123D7FEFDE551C82EB61454D763177322E5CE1EAA65DC489E19DE5AB7FAF7B4
SHA-512:	9E7D367BAB0F6CC880C5870FDCDB06D9A9E5EB24EBA489CA85549947879B0FA3C586779FFCEA0FCA4C50AA67DAD098E7BD9E82C00E2D00412D9441991267D2DA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..T.l...l...l....?..l......l..Q....l......l......l......l..u...l...l...l..R...l..R...l..R.S..l..R...l..Rich.l..................PE..d......g.........." ...).....l......P........................................p............`.........................................`...d.......d....P.......@..H............`..T.......................................@............................................text............................... ..`.rdata...E.......F..................@..@.data........ ......................@....pdata..H....@......................@..@.rsrc........P....... ..............@..@.reloc..T....`......."..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	5.909510426434191
Encrypted:	false
SSDEEP:	1536:aJsHmR02IvVxv7WCyKm7c5Th4MBHTOvyyaZE:apIvryCyKx5Th4M5OvyyO
MD5:	3E579844160DE8322D574501A0F91516
SHA1:	C8DE193854F7FC94F103BD4AC726246981264508
SHA-256:	95F01CE7E37F6B4B281DBC76E9B88F28A03CB02D41383CC986803275A1CD6333
SHA-512:	EE2A026E8E70351D395329C78A07ACB1B9440261D2557F639E817A8149BA625173EF196AED3D1C986577D78DC1A7EC9FED759C19346C51511474FE6D235B1817
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nT..5..5..5..#M2. 5..x@..(5..x@..&5..x@.."5..x@...5...k..(5..aM..;5..5...5...@..:5...@..+5...@^.+5...@..+5..Rich*5..................PE..d.....qf.........." .........h......\........................................@............`.........................................0...`.......@.... .......................0..(.......................................8............................................text...h........................... ..`.rdata..\I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\pyexpat.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	199448
Entropy (8bit):	6.37860626187966
Encrypted:	false
SSDEEP:	6144:JmRBHO1UpyGKEjQxmMLIQjmuMgk6k6k6k6k6k6jHlDX:JmRBHJS7Mgk6k6k6k6k6k6jFDX
MD5:	6527063F18E8D49D04E2CC216C2F0B27
SHA1:	917C349C62689F9B782A314CE4B2311B6B826606
SHA-256:	5604F629523125904909547A97F3CDB5DBFE33B39878BAD77534DE0C3C034387
SHA-512:	67C87D11683A0F4E1BC4083FF05EDEE423155F829051C3FA66CC4F2CFB98CF7374B3A06EB37095E19F5F2A6C8DA83F0C0E3F7EB964694992B525F81B1B00F423
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................g.................................h.......................h.......h.......h.......h.......Rich....................PE..d......e.........." ...#..................................................... ......X.....`.............................................P................................/..........`3..T........................... 2..@............ ...............................text...3........................... ..`.rdata....... ......................@..@.data...@!..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\python3.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67352
Entropy (8bit):	6.1462717896521335
Encrypted:	false
SSDEEP:	768:lGw/EsYpkVgBaz57kcDA7QKFmpz7cnzH/ks/KF61xubwmB1Cf//yhC74JFmpktJa:r/5k8cnzeJd9IVL0v7SyJwx/
MD5:	D8BA00C1D9FCC7C0ABBFFB5C214DA647
SHA1:	5FA9D5700B42A83BFCC125D1C45E0111B9D62035
SHA-256:	E45452EFA356DB874F2E5FF08C9CC0FE22528609E5D341F8FB67BA48885AB77D
SHA-512:	DF1B714494856F618A742791EEFBF470B2EEE07B51D983256E4386EA7D48DA5C7B1E896F222EA55A748C9413203886CDE3A65EF9E7EA069014FA626F81D79CD3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C..."e.."e.."e.0_m.."e.0_e.."e.0_..."e.0_g.."e.Rich."e.................PE..d......e.........." ...#.................................................................`.........................................`...P................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\python311.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5763864
Entropy (8bit):	6.089317968812699
Encrypted:	false
SSDEEP:	98304:CdT9zf0+IXY3qd4biqm46oWHrMGYPtA81:CdT9zflIXgq/epGWAs
MD5:	65E381A0B1BC05F71C139B0C7A5B8EB2
SHA1:	7C4A3ADF21EBCEE5405288FC81FC4BE75019D472
SHA-256:	53A969094231B9032ABE4148939CE08A3A4E4B30B0459FC7D90C89F65E8DCD4A
SHA-512:	4DB465EF927DFB019AB6FAEC3A3538B0C3A8693EA3C2148FD16163BF31C03C899DFDF350C31457EDF64E671E3CC3E46851F32F0F84B267535BEBC4768EF53D39
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... ..qN.qN.qN.$.O.qN.$...qN.$.K.qN.$.J.qN.$.M.qN....qN...O.qN.qO..pN.B.C.]qN.B.N.qN.B...qN.B.L.qN.Rich.qN.........PE..d......e.........." ...#.R%..>7......=........................................\.....T.X...`...........................................@......[A......p[.......V../....W../....[.lC....).T...........................p.).@............p%..............................text...ZQ%......R%................. ..`.rdata.......p%......V%.............@..@.data....#....A..T...fA.............@....pdata.../....V..0....Q.............@..@PyRuntim......X.......S.............@....rsrc........p[......vV.............@..@.reloc..lC....[..D....V.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\pywin32_system32\pythoncom311.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	670208
Entropy (8bit):	6.035999626973864
Encrypted:	false
SSDEEP:	12288:ngSkceIv3zBJBQoXNi4LCQqAOffa1tpd5g:gSkc/v3zB9NiEWfa
MD5:	31C1BF2ACA5DF417F6CE2618C3EEFE7E
SHA1:	4C2F7FE265FF28396D03BA0CAB022BBD1785DBF2
SHA-256:	1DAF7C87B48554F1481BA4431102D0429704832E42E3563501B1FFDD3362FCD1
SHA-512:	5723145F718CC659ADD658BA545C5D810E7032842907BAB5C2335E3DE7F20FE69B58AA42512FD67EA8C6AA133E59E0C26BD90700BDD0D0171AF6C1E1C73A2719
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."..~f..-f..-f..-o..-l..-4..,b..-4..,q..-4..,n..-4..,b..-...,d..--..,k..-...,d..--..,o..-f..-5..-...,7..-...,g..-...,g..-Richf..-................PE..d...&..g.........." ......................................................................`..........................................U...c..(...........l....@...z............... ..P...T...............................8............................................text............................... ..`.rdata..x$.......&..................@..@.data....I..........................@....pdata...z...@...\|..................@..@.rsrc...l...........................@..@.reloc... ......."..................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\pywin32_system32\pywintypes311.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	134656
Entropy (8bit):	5.999117329459055
Encrypted:	false
SSDEEP:	3072:kLcVKY3tOSjPenBttgY/r06Yr27vJmxETaTX7wevxJ:kLcVKY3tOWPxY/rkqzJmxEmTXMev
MD5:	5D67ABF69A8939D13BEFB7DE9889B253
SHA1:	BCBBF88C05732D4E1E3811FD312425C1C92018D1
SHA-256:	615EB8A75F9ED9371A59DA8F31E27EE091C013DB0B9164A5124CA0656EA47CB4
SHA-512:	FA34EB05996C41F23524A8B4F1FAED0BDD41224D8E514AA57D568A55D2044C32798C1357F22C72AD79FD02948CAAD89B98B8E9B0AD2927E4A0169739335271CE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I+.j'x.j'x.j'x...x.j'x..&y.j'x...x.j'x.."y.j'x..#y.j'x..$y.j'x..#y.j'x..&y.j'x..&y.j'x.j&xCj'xk..y.j'xk.'y.j'xk.%y.j'xRich.j'x................PE..d......g.........." ................,........................................P............`..........................................u..lB......,....0..l.......L............@..0....Q..T............................R..8............................................text...y........................... ..`.rdata..............................@..@.data....-.......(..................@....pdata..L...........................@..@.rsrc...l....0......................@..@.reloc..0....@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\select.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30488
Entropy (8bit):	6.582368880935187
Encrypted:	false
SSDEEP:	768:neUeJhHq2GD9IVQGA5YiSyv3g+AMxkEdC:neUeJhK2GD9IVQGS7SyfgMxRC
MD5:	8472D39B9EE6051C961021D664C7447E
SHA1:	B284E3566889359576D43E2E0E99D4ACF068E4FB
SHA-256:	8A9A103BC417DEDE9F6946D9033487C410937E1761D93C358C1600B82F0A711F
SHA-512:	309F1EC491D9C39F4B319E7CE1ABDEDF11924301E4582D122E261E948705FB71A453FEC34F63DF9F9ABE7F8CC2063A56CD2C2935418AB54BE5596AADC2E90AD3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t.q\|'.q\|'.q\|'...'.q\|'q.}&.q\|'q.y&.q\|'q.x&.q\|'q..&.q\|'..}&.q\|'.q}'.q\|'..}&.q\|'..q&.q\|'..\|&.q\|'...'.q\|'..~&.q\|'Rich.q\|'........PE..d......e.........." ...#.....2......................................................;.....`..........................................@..L...,A..x....p.......`.......H.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\setuptools-65.5.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI70282\setuptools-65.5.0.dist-info\LICENSE

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1050
Entropy (8bit):	5.072538194763298
Encrypted:	false
SSDEEP:	24:1rmJHcwH0MP3gt8Hw1hj9QHOsUv4eOk4/+/m3oqMSFJ:1aJ8YHvEH5QHOs5exm3oEFJ
MD5:	7A7126E068206290F3FE9F8D6C713EA6
SHA1:	8E6689D37F82D5617B7F7F7232C94024D41066D1
SHA-256:	DB3F0246B1F9278F15845B99FEC478B8B506EB76487993722F8C6E254285FAF8
SHA-512:	C9F0870BC5D5EFF8769D9919E6D8DDE1B773543634F7D03503A9E8F191BD4ACC00A97E0399E173785D1B65318BAC79F41D3974AE6855E5C432AC5DACF8D13E8A
Malicious:	false
Preview:	Copyright Jason R. Coombs..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to.deal in the Software without restriction, including without limitation the.rights to use, copy, modify, merge, publish, distribute, sublicense, and/or.sell copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING.FROM, OUT OF OR IN CONNECTION WITH THE SOFTW

C:\Users\user\AppData\Local\Temp\_MEI70282\setuptools-65.5.0.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	6301
Entropy (8bit):	5.107162422517841
Encrypted:	false
SSDEEP:	192:W4rkAIG0wRg8wbNDdq6T9927uoU/GBpHFwTZ:Sq0wRg8wbNDdBh927uoU/GBRFi
MD5:	9E59BD13BB75B38EB7962BF64AC30D6F
SHA1:	70F6A68B42695D1BFA55ACB63D8D3351352B2AAC
SHA-256:	80C7A3B78EA0DFF1F57855EE795E7D33842A0827AA1EF4EE17EC97172A80C892
SHA-512:	67AC61739692ECC249EBDC8F5E1089F68874DCD65365DB1C389FDD0CECE381591A30B99A2774B8CAAA00E104F3E35FF3745AFF6F5F0781289368398008537AE7
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: setuptools.Version: 65.5.0.Summary: Easily download, build, install, upgrade, and uninstall Python packages.Home-page: https://github.com/pypa/setuptools.Author: Python Packaging Authority.Author-email: distutils-sig@python.org.Project-URL: Documentation, https://setuptools.pypa.io/.Project-URL: Changelog, https://setuptools.pypa.io/en/stable/history.html.Keywords: CPAN PyPI distutils eggs package management.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Topic :: Software Development :: Libraries :: Python Modules.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: Topic :: System :: Systems Administration.Classifier: Topic :: Utilities.Requires-Python: >=3.7.License-File: LICENSE.Provides-Extra: certs.Provides-Extra: docs.Requi

C:\Users\user\AppData\Local\Temp\_MEI70282\setuptools-65.5.0.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	37694
Entropy (8bit):	5.555787611309118
Encrypted:	false
SSDEEP:	384:vSzcBlShgRUhbul9nXJkpIVh498WjXYH0+5+E/8mrnaDoaQP7IOQRJqxBPgof2yd:vc853yQXYAY8AKCT9r2/GsIVxE9Im
MD5:	087F72A04BB085627494651E36C4C513
SHA1:	1E39070E246F91D8926268A033C6F584E629E2DE
SHA-256:	BFB77A968E06417BD37023BF1A2D7F1AAE9D8E74231665D6699D5BB82BDBD7B0
SHA-512:	39CE042A20324C6B63A192D70E56B36318C45D04B810A6BD333D1D40B6DAAD947AFB9156C003BC86C700A59F0F25753416D754DA06C808814920F92582CB6058
Malicious:	false
Preview:	_distutils_hack/__init__.py,sha256=TSekhUW1fdE3rjU3b88ybSBkJxCEpIeWBob4cEuU3ko,6128.._distutils_hack/__pycache__/__init__.cpython-311.pyc,,.._distutils_hack/__pycache__/override.cpython-311.pyc,,.._distutils_hack/override.py,sha256=Eu_s-NF6VIZ4Cqd0tbbA5wtWky2IZPNd8et6GLt1mzo,44..distutils-precedence.pth,sha256=JjjOniUA5XKl4N5_rtZmHrVp0baW_LoHsN0iPaX10iQ,151..pkg_resources/__init__.py,sha256=fT5Y3P1tcSX8sJomClUU10WHeFmvqyNZM4UZHzdpAvg,108568..pkg_resources/__pycache__/__init__.cpython-311.pyc,,..pkg_resources/_vendor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..pkg_resources/_vendor/__pycache__/__init__.cpython-311.pyc,,..pkg_resources/_vendor/__pycache__/appdirs.cpython-311.pyc,,..pkg_resources/_vendor/__pycache__/zipp.cpython-311.pyc,,..pkg_resources/_vendor/appdirs.py,sha256=MievUEuv3l_mQISH5SF0shDk_BNhHHzYiAPrT3ITN4I,24701..pkg_resources/_vendor/importlib_resources/__init__.py,sha256=evPm12kLgYqTm-pbzm60bOuumumT8IpBNWFp0uMyrzE,506..pkg_resources/_vendor/importli

C:\Users\user\AppData\Local\Temp\_MEI70282\setuptools-65.5.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.820827594031884
Encrypted:	false
SSDEEP:	3:RtEeX7MWcSlViZHKRRP+tPCCfA5S:RtBMwlViojWBBf
MD5:	4D57030133E279CEB6A8236264823DFD
SHA1:	0FDC3988857C560E55D6C36DCC56EE21A51C196D
SHA-256:	1B5E87E00DC87A84269CEAD8578B9E6462928E18A95F1F3373C9EEF451A5BCC0
SHA-512:	CD98F2A416AC1B13BA82AF073D0819C0EA7C095079143CAB83037D48E9A5450D410DC5CF6B6CFF3F719544EDF1C5F0C7E32E87B746F1C04FE56FAFD614B39826
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: bdist_wheel (0.37.1).Root-Is-Purelib: true.Tag: py3-none-any..

C:\Users\user\AppData\Local\Temp\_MEI70282\setuptools-65.5.0.dist-info\entry_points.txt

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	2740
Entropy (8bit):	4.540737240939103
Encrypted:	false
SSDEEP:	48:lELcZDy3g6ySDsm90rZh2Phv4hhpTqTog:yLAP8arZoP94hTTqcg
MD5:	D3262B65DB35BFFAAC248075345A266C
SHA1:	93AD6FE5A696252B9DEF334D182432CDA2237D1D
SHA-256:	DEC880BB89189B5C9B1491C9EE8A2AA57E53016EF41A2B69F5D71D1C2FBB0453
SHA-512:	1726750B22A645F5537C20ADDF23E3D3BAD851CD4BDBA0F9666F9F6B0DC848F9919D7AF8AD8847BD4F18D0F8585DDE51AFBAE6A4CAD75008C3210D17241E0291
Malicious:	false
Preview:	[distutils.commands].alias = setuptools.command.alias:alias.bdist_egg = setuptools.command.bdist_egg:bdist_egg.bdist_rpm = setuptools.command.bdist_rpm:bdist_rpm.build = setuptools.command.build:build.build_clib = setuptools.command.build_clib:build_clib.build_ext = setuptools.command.build_ext:build_ext.build_py = setuptools.command.build_py:build_py.develop = setuptools.command.develop:develop.dist_info = setuptools.command.dist_info:dist_info.easy_install = setuptools.command.easy_install:easy_install.editable_wheel = setuptools.command.editable_wheel:editable_wheel.egg_info = setuptools.command.egg_info:egg_info.install = setuptools.command.install:install.install_egg_info = setuptools.command.install_egg_info:install_egg_info.install_lib = setuptools.command.install_lib:install_lib.install_scripts = setuptools.command.install_scripts:install_scripts.rotate = setuptools.command.rotate:rotate.saveopts = setuptools.command.saveopts:saveopts.sdist = setuptools.command.sdist:sdist.seto

C:\Users\user\AppData\Local\Temp\_MEI70282\setuptools-65.5.0.dist-info\top_level.txt

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	41
Entropy (8bit):	3.9115956018096876
Encrypted:	false
SSDEEP:	3:3Wd+Nt8AfQYv:3Wd+Nttv
MD5:	789A691C859DEA4BB010D18728BAD148
SHA1:	AEF2CBCCC6A9A8F43E4E150E7FCF1D7B03F0E249
SHA-256:	77DC8BDFDBFF5BBAA62830D21FAB13E1B1348FF2ECD4CDCFD7AD4E1A076C9B88
SHA-512:	BC2F7CAAD486EB056CB9F68E6C040D448788C3210FF028397CD9AF1277D0051746CAE58EB172F9E73EA731A65B2076C6091C10BCB54D911A7B09767AA6279EF6
Malicious:	false
Preview:	_distutils_hack.pkg_resources.setuptools.

C:\Users\user\AppData\Local\Temp\_MEI70282\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1504024
Entropy (8bit):	6.578984314535122
Encrypted:	false
SSDEEP:	24576:M5WQyUuqjJVKMXijWRwtHHofIyEcL/2m75i5zxHWc9C08lYfore60b:Mb0yVKMyjWR6nofQm7U59HWKYYD
MD5:	256224CC25D085663D4954BE6CC8C5B5
SHA1:	9931CC156642E2259DFABF0154FDDF50D86E9334
SHA-256:	5AC6EE18CDCA84C078B66055F5E9FFC6F8502E22EAF0FA54AEEC92B75A3C463E
SHA-512:	A28ABF03199F0CE9F044329F7EBA2F1D8ECBC43674337AAFBF173F567158BA9046036DA91DC3E12C2BB1D7842953526EDBA14BC03F81ECE63DCEDCC9413213A7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W..W..W..^.P.[....U....Z...._.....S.....T..W........V.....V....<.V......V..RichW..........................PE..d......e.........." ...#..................................................................`.........................................Px...".............................../...........*..T............................(..@...............8............................text............................... ..`.rdata..............................@..@.data...PG.......>..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\ucrtbase.dll

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1016584
Entropy (8bit):	6.669319438805479
Encrypted:	false
SSDEEP:	24576:VkmZDEMHhp9v1Ikbn3ND0TNVOsIut8P4zmxvSZX0yplkA:mmZFHhp9v1Io3h0TN3pvkA
MD5:	0E0BAC3D1DCC1833EAE4E3E4CF83C4EF
SHA1:	4189F4459C54E69C6D3155A82524BDA7549A75A6
SHA-256:	8A91052EF261B5FBF3223AE9CE789AF73DFE1E9B0BA5BDBC4D564870A24F2BAE
SHA-512:	A45946E3971816F66DD7EA3788AACC384A9E95011500B458212DC104741315B85659E0D56A41570731D338BDF182141C093D3CED222C007038583CEB808E26FD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W..l9F.l9F.l9F...F.l9F.l8F.l9F...F.l9F..9G.l9F..:G.l9F..<G.l9F..7G.n9F..=G.l9F...F.l9F..;G.l9FRich.l9F........PE..d.....}X.........." .........`............................................................`A................................................p......................F...=......p...PX..T............................'...............O...............................text............................... ..`.rdata..<u.......v..................@..@.data....$...........r..............@....pdata.............................@..@.rsrc................4..............@..@.reloc..p............:..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1141016
Entropy (8bit):	5.435201566416684
Encrypted:	false
SSDEEP:	12288:C3kYbfjwR6nbVonRiPDjRrO5184EPYPx++ZiLKGZ5KXyVH4eD1Ji:CUYbM40IDJcjEwPgPOG6Xyd461Ji
MD5:	57F8F40CF955561A5044DDFFA4F2E144
SHA1:	19218025BCAE076529E49DDE8C74F12E1B779279
SHA-256:	1A965C1904DA88989468852FDC749B520CCE46617B9190163C8DF19345B59560
SHA-512:	DB2A7A32E0B5BF0684A8C4D57A1D7DF411D8EB1BC3828F44C95235DD3AF40E50A198427350161DFF2E79C07A82EF98E1536E0E013030A15BDF1116154F1D8338
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4m..4m..4m..=...2m......6m......9m......<m......7m......7m......6m..4m..em......5m......5m....j.5m......5m..Rich4m..................PE..d......e.........." ...#.@..........P*...............................................~....`.............................................X............`.......P..0....:.../...p.......]..T............................[..@............P..x............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..0....P.......&..............@..@.rsrc........`......................@..@.reloc.......p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\win32\_win32sysloader.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.113812591033072
Encrypted:	false
SSDEEP:	192:rCm72PEO1jIUs0YqEcPbF55UgCWV4rofnDPdRD0hvHvcqvn7ycIt/G/:rardA0Bzx14r6nDrOhv+O/
MD5:	B58CA169FDCFFAB726391D3906DD9A4E
SHA1:	C4BB8DA84A5D9C31D0ACB7A4127F55E696F414DF
SHA-256:	1A8DCDBD730166889C03FAF285DC1DD9F16090DFE81043D80A9D6308300EBAC9
SHA-512:	AA23DEBF80D89A40677D1BF1C7C6C3445A79E76419865B86D0D6A605656478067EBEA2752348FCF77D583D2E5DCD284DA7F55F751D6441E647565DA77F982966
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Dg..%..%..%..]..%...P..%...]..%...P..%...P..%...P..%.....%..%..%..LP..%..LP..%..LP..%..Rich.%..................PE..d......g.........." ......................................................................`..........................................;..`...p;..d....p..t....`..................@...\|2..T............................2..8............0..p............................text............................... ..`.rdata..4....0......................@..@.data........P......................@....pdata.......`.......0..............@..@.rsrc...t....p.......4..............@..@.reloc..@............8..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\win32\win32api.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	133120
Entropy (8bit):	5.849201651779307
Encrypted:	false
SSDEEP:	3072:znvpE3JJ/Q7DspOCQUUU40Oc3lRVFhLaNzvBii7qQvmwCoY9LQPe:T4xG4pOCQUUU4rWlRVgv5qQSoY9
MD5:	D02300D803850C3B0681E16130FECEE4
SHA1:	6411815E2A908432A640719ECFE003B43BBBA35C
SHA-256:	B938C8CD68B15EC62F053045A764D8DD38162A75373B305B4CF1392AC05DF5F9
SHA-512:	6FAD1836614869AB3BB624BDA9943CEAF9E197B17CA4F4FFE78699492B72F95EEE02AE1BB07C0508438956BEF10CC1E656DDF75D0EDC9EF71A3860AF39075564
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..Vx...x...x...q...p.....\|.....p.....\|......z.......z.....o...3..s...x...-......z......y......y...Richx...........PE..d......g.........." .........................................................P............`.........................................P...............0..\....................@..X....v..T............................;..8............0.........@....................text............................... ..`.rdata..b....0......................@..@.data...X(......."..................@....pdata..............................@..@.rsrc...\....0......................@..@.reloc..X....@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\win32\win32trace.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.281874510289411
Encrypted:	false
SSDEEP:	384:9eeH8ZmV+zknwMswDuVQO0T8DmMel2/QEVR7AWCq5yn9ukF1B3:N+zi/uVQ1Q/QEVR1NUpB
MD5:	965E9833F4CD7A45C2C1EE85EFC2DA3B
SHA1:	3C6888194AD30E17DC5EEA7418133A541BCDDF07
SHA-256:	5ECD0274DC220312824BB3086B3E129E38A9DCB06913A2F6173A94DC256BF4C5
SHA-512:	F8C4E0C82A8229B3BDB897B536EE73B5D2A9A2810B73DCC77C880961A9A16E43746234A108A9A15BF18638FCFB3086E0F5EEFD85D5BF6F799718DC6F199C4A26
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(U.wF..wF..wF......wF...G..wF...C..wF...B..wF...E..wF.D.G..wF...G..wF...G..wF..wG..wF.D.O..wF.D.F..wF.D.D..wF.Rich.wF.................PE..d......g.........." .....,...,.......(....................................................`......................................... Q..T...tQ..........d....p.......................G..T...........................0H..8............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...(....`.......L..............@....pdata.......p.......R..............@..@.rsrc...d............V..............@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\win32com\shell\shell.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	535040
Entropy (8bit):	6.1723495244729625
Encrypted:	false
SSDEEP:	12288:SBetHVSFgAXb3MWUF6w7FK3oHPl8eqTOU:SQkgAL3Md983C8eq
MD5:	43AA404015B0CEE369E941DC30B3F4B0
SHA1:	A34CBA0D08A17934D84B16FCFF5282367EAA08AA
SHA-256:	3FB83E9A14901321324F17D11DA50802B6777733E1EE0FD4F89DB0FD09C61690
SHA-512:	A8548F39F371B2389EEA45DA4248FFC015F5B243E957BD12B88661DB91D4D745A1CD1E772BDD6C739A87E69A88947FB58248BB394E1C5D21C0A9324EFC87724B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#t.wM'.wM'.wM'...'.wM'..L&.wM'..H&.wM'..I&.wM'..N&.wM'..I&.wM'..L&.wM'!.L&.wM'..K&.wM'..L&.wM'.wL'.wM'!.D&.wM'!.M&.wM'!.O&.wM'Rich.wM'........PE..d...}..g.........." .....2................................................................`.............................................L...<...........L....0..${..............h!......T...............................8............P..(............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data........P...`...(..............@....pdata..${...0...\|..................@..@.rsrc...L...........................@..@.reloc..h!......."..................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI70282\yarl\_quoting_c.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	5.965911733978745
Encrypted:	false
SSDEEP:	1536:xtuirzB429BT5WTY4yBRmWHdRfIIGrzf9NzeXzf2RUd:xtugP5y7uf9N81NzeDuRU
MD5:	1C6C610E5E2547981A2F14F240ACCF20
SHA1:	4A2438293D2F86761EF84CFDF99A6CA86604D0B8
SHA-256:	4A982FF53E006B462DDF7090749BC06EBB6E97578BE04169489D27E93F1D1804
SHA-512:	F6EA205A49BF586D7F3537D56B805D34584A4C2C7D75A81C53CE457A4A438590F6DBEDED324362BFE18B86FF5696673DE5FBE4C9759AD121B5E4C9AE2EF267C0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:m.]~...~...~...wt..z...n...\|...5t..\|...n...}...n...v...n...r.......}...~.......5.......5.......5.g.....5.......Rich~...........................PE..d....."g.........." ...)............P.....................................................`..........................................Y..d....Z..x...............................,....G...............................F..@............ ...............................text............................... ..`.rdata...N... ...P..................@..@.data...P7...p.......`..............@....pdata...............l..............@..@.rsrc................x..............@..@.reloc..,............z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_ARC4.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.640339306680604
Encrypted:	false
SSDEEP:	192:dLklddyTHThob0q/tJRrlDfNYSOcqgYCWt:ZgcdZq/JJD6gRWt
MD5:	BCD8CAAF9342AB891BB1D8DD45EF0098
SHA1:	EE7760BA0FF2548F25D764F000EFBB1332BE6D3E
SHA-256:	78725D2F55B7400A3FCAFECD35AF7AEB253FBC0FFCDF1903016EB0AABD1B4E50
SHA-512:	8B6FB53AECB514769985EBFDAB1B3C739024597D9C35905E04971D5422256546F7F169BF98F9BAF7D9F42A61CFF3EE7A20664989D3000773BF5EDA10CB3A0C24
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...Y..f.........." ................P........................................p............`..........................................'......0(..d....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata..Z.... ......................@..@.data...H....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..(....`.......*..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_Salsa20.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.0194545642425075
Encrypted:	false
SSDEEP:	192:4t/1nCuqaL0kt7AznuRmceS4lDFhAlcqgcLg:F/k1ACln4lDogcLg
MD5:	F19CB847E567A31FAB97435536C7B783
SHA1:	4C8BFE404AF28C1781740E7767619A5E2D2FF2B7
SHA-256:	1ECE1DC94471D6977DBE2CEEBA3764ADF0625E2203D6257F7C781C619D2A3DAD
SHA-512:	382DC205F703FC3E1F072F17F58E321E1A65B86BE7D9D6B07F24A02A156308A7FEC9B1A621BA1F3428FD6BB413D14AE9ECB2A2C8DD62A7659776CFFDEBB6374C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...Z..f.........." ................P.....................................................`..........................................8......H9..d....`.......P..L............p..(....1...............................1..8............0...............................text...h........................... ..`.rdata..r....0......................@..@.data...H....@.......,..............@....pdata..L....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_chacha20.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.037456384995606
Encrypted:	false
SSDEEP:	192:st/1nCuqaL0ktPMn1ENe3erKr5br0YbsiDw6a9lkOcqgRGd:p/kpMIodrXbsiDS95gRGd
MD5:	DC14677EA8A8C933CC41F9CCF2BEDDC1
SHA1:	A6FB87E8F3540743097A467ABE0723247FDAF469
SHA-256:	68F081E96AE08617CF111B21EDED35C1774A5EF1223DF9A161C9445A78F25C73
SHA-512:	3ABA4CFCBBE4B350AB3230D488BD75186427E3AAAF38D19E0E1C7330F16795AD77FB6E26FF39AF29EAF4F5E8C42118CB680F90AFBFCA218AEDA64DC444675BA2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...Z..f.........." ................P.....................................................`......................................... 8.......8..d....`.......P..d............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..d....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..(....p.......2..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_pkcs1_decode.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.09191874780435
Encrypted:	false
SSDEEP:	192:rMVsiXeqVb0lIb0Pj5Jdfpm68WZDInU282tacqgYLg:rM7ali0Pj5JxCaDuUlgYLg
MD5:	C09BB8A30F0F733C81C5C5A3DAD8D76D
SHA1:	46FD3BA87A32D12F4EE14601D1AD73B78EDC81D1
SHA-256:	8A1B751DB47CE7B1D3BD10BEBFFC7442BE4CFB398E96E3B1FF7FB83C88A8953D
SHA-512:	691AC74FAE930E9CEABE782567EFB99C50DD9B8AD607DD7F99A5C7DF2FA2BEB7EDFE2EBB7095A72DA0AE24E688FBABD340EAE8B646D5B8C394FEE8DDD5E60D31
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^:.6?T.6?T.6?T.?G..2?T.dJU.4?T.}GU.5?T.6?U..?T.dJQ.<?T.dJP.>?T.dJW.5?T..J\.7?T..JT.7?T..J..7?T..JV.7?T.Rich6?T.........................PE..d...X..f.........." ................P.....................................................`.........................................`8.......8..d....`.......P..(............p..(....1...............................1..8............0...............................text............................... ..`.rdata..6....0....... ..............@..@.data...x....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_aes.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	6.541423493519083
Encrypted:	false
SSDEEP:	384:f/UlZA5PUEllvxL/7v/iKBt5ByU0xGitqzSEkxGG7+tpKHb/LZ7fr52EkifcMxme:klcR7JriEbwDaS4j990th9VDBV
MD5:	0AB25F99CDAACA6B11F2ECBE8223CAD5
SHA1:	7A881B3F84EF39D97A31283DE6D7B7AE85C8BAE6
SHA-256:	6CE8A60D1AB5ADC186E23E3DE864D7ADF6BDD37E3B0C591FA910763C5C26AF60
SHA-512:	11E89EEF34398DF3B144A0303E08B3A4CAF41A9A8CA618C18135F561731F285F8CF821D81179C2C45F6EEB0E496D9DD3ECF6FF202A3C453C80AFEF8582D06C17
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...V..f.........." .....H...H......P.....................................................`.........................................p...........d...............................0......................................8............`...............................text...xG.......H.................. ..`.rdata.."6...`...8...L..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_aesni.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.367749645917753
Encrypted:	false
SSDEEP:	192:YiJBj5fq/Rk0kPLhOZ3UucCWuSKPEkA2bD9JXx03cqg5YUMLgs:/k1kTMZEjCWNaA2DTx0g5YUMLg
MD5:	B6EA675C3A35CD6400A7ECF2FB9530D1
SHA1:	0E41751AA48108D7924B0A70A86031DDE799D7D6
SHA-256:	76EF4C1759B5553550AB652B84F8E158BA8F34F29FD090393815F06A1C1DC59D
SHA-512:	E31FD33E1ED6D4DA3957320250282CFD9EB3A64F12DE4BD2DFE3410F66725164D96B27CAA34C501D1A535A5A2442D5F070650FD3014B4B92624EE00F1C3F3197
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.z.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...V..f.........." ......... ......P.....................................................`..........................................9......$:..d....`.......P...............p..(....1...............................1..8............0.. ............................text............................... ..`.rdata.......0......."..............@..@.data...8....@.......2..............@....pdata.......P.......4..............@..@.rsrc........`.......8..............@..@.reloc..(....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_arc2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.41148259289073
Encrypted:	false
SSDEEP:	192:w3d9FkHaz0EJvrj+CYuz7ucc9dG7otDr22KcqgOiewZjW:YkHEJzj+X6769lDzagO/w
MD5:	F14E1AA2590D621BE8C10321B2C43132
SHA1:	FD84D11619DFFDF82C563E45B48F82099D9E3130
SHA-256:	FCE70B3DAFB39C6A4DB85D2D662CB9EB9C4861AA648AD7436E7F65663345D177
SHA-512:	A86B9DF163007277D26F2F732ECAB9DBCA8E860F8B5809784F46702D4CEA198824FDEF6AB98BA7DDC281E8791C10EABA002ABDA6F975323B36D5967E0443C1E4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." ....."... ......P.....................................................`.........................................pI.......J..d....p.......`..................(....B...............................B..8............@...............................text...( .......".................. ..`.rdata..<....@.......&..............@..@.data...H....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..(............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_blowfish.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20992
Entropy (8bit):	6.041302713678401
Encrypted:	false
SSDEEP:	384:kUX0JfbRz5MLZA0nmwzMDYpJgLa0Mp8NDBcxgprAM:6NbRzWXwDqgLa1uBfP
MD5:	B127CAE435AEB8A2A37D2A1BC1C27282
SHA1:	2A7BF8BF7F24B2381370BA6B41FB640EE42BDCCD
SHA-256:	538B1253B5929254ED92129FA0957DB26CDDF34A8372BA0BF19D20D01549ADA3
SHA-512:	4FE027E46D5132CA63973C67BD5394F2AC74DD4BBCFE93CB16136FAB4B6BF67BECB5A0D4CA359FF9426DA63CA81F793BBF1B79C8A9D8372C53DCB5796D17367E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." .....$...0......P.....................................................`.........................................0Y.......Y..d............p..................0....Q...............................R..8............@...............................text....".......$.................. ..`.rdata.......@... ...(..............@..@.data...H....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..0............P..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_cast.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	6.530656045206549
Encrypted:	false
SSDEEP:	384:cEDwUBi9SPu71omZXmrfXA+UA10ol31tuXVYdAgYj:FsUBXmoEXmrXA+NNxWFYfo
MD5:	2E15AA6F97ED618A3236CFA920988142
SHA1:	A9D556D54519D3E91FA19A936ED291A33C0D1141
SHA-256:	516C5EA47A7B9A166F2226ECBA79075F1A35EFFF14D87E00006B34496173BB78
SHA-512:	A6C75C4A285753CC94E45500E8DD6B6C7574FB7F610FF65667F1BEC8D8B413FC10514B7D62F196C2B8D017C308C5E19E2AEF918021FA81D0CB3D8CED37D8549A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...W..f.........." .....$...>............................................................`..........................................h.......i..d...............................0....a...............................a..8............@...............................text....#.......$.................. ..`.rdata..:-...@.......(..............@..@.data...H....p.......V..............@....pdata...............X..............@..@.rsrc................\..............@..@.reloc..0............^..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_cbc.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.7080156150187396
Encrypted:	false
SSDEEP:	192:lF/1n7Guqaj0ktfEJwX1fYwCODR3lncqg0Gd6l:RGXkJEm1feODxDg0Gd6
MD5:	40390F2113DC2A9D6CFAE7127F6BA329
SHA1:	9C886C33A20B3F76B37AA9B10A6954F3C8981772
SHA-256:	6BA9C910F755885E4D356C798A4DD32D2803EA4CFABB3D56165B3017D0491AE2
SHA-512:	617B963816838D649C212C5021D7D0C58839A85D4D33BBAF72C0EC6ECD98B609080E9E57AF06FA558FF302660619BE57CC974282826AB9F21AE0D80FBAA831A1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...X..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..(....p......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_cfb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	5.159963979391524
Encrypted:	false
SSDEEP:	192:kblRgfeqfz0RP767fB4A84DgVD6eDcqgzbkLgmf:BwRj67p84Dg6eVgzbkLgmf
MD5:	899895C0ED6830C4C9A3328CC7DF95B6
SHA1:	C02F14EBDA8B631195068266BA20E03210ABEABC
SHA-256:	18D568C7BE3E04F4E6026D12B09B1FA3FAE50FF29AC3DEAF861F3C181653E691
SHA-512:	0B4C50E40AF92BC9589668E13DF417244274F46F5A66E1FC7D1D59BC281969BA319305BECEA119385F01CC4603439E4B37AFA2CF90645425210848A02839E3E7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^..6?..6?..6?..?G..2?..dJ..4?..}G..5?..6?...?..dJ..<?..dJ..>?..dJ..5?...J..7?...J..7?...Jk.7?...J..7?..Rich6?..................PE..d...Y..f.........." ................P.....................................................`..........................................8......x9..d....`.......P..d............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......(..............@....pdata..d....P.......*..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_ctr.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.270418334522813
Encrypted:	false
SSDEEP:	192:vktJ1gifqQGRk0IP73AdXdmEEEEEm9uhiFEQayDZVMcqgnF6+6Lg:vkdU1ID3AdXd49urQPDggnUjLg
MD5:	C4C525B081F8A0927091178F5F2EE103
SHA1:	A1F17B5EA430ADE174D02ECC0B3CB79DBF619900
SHA-256:	4D86A90B2E20CDE099D6122C49A72BAE081F60EB2EEA0F76E740BE6C41DA6749
SHA-512:	7C06E3E6261427BC6E654B2B53518C7EAA5F860A47AE8E80DC3F8F0FED91E122CB2D4632188DC44123FB759749B5425F426CD1153A8F84485EF0491002B26555
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^z.6?..6?..6?..?G..2?..dJ..4?..}G..5?..6?...?..dJ..<?..dJ..>?..dJ..5?...J..7?...J..7?...J..7?...J..7?..Rich6?..........................PE..d...Y..f.........." ......... ......P.....................................................`.........................................`9.......:..d....`.......P...............p..(....1...............................1..8............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..(....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_des.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	56832
Entropy (8bit):	4.231032526864278
Encrypted:	false
SSDEEP:	384:0qcmHBeNL1dO/qHkpnYcZiGKdZHDLY84vnKAnK2rZA21agVF:fEiqHHx4vZDV
MD5:	F9E266F763175B8F6FD4154275F8E2F0
SHA1:	8BE457700D58356BC2FA7390940611709A0E5473
SHA-256:	14D2799BE604CBDC668FDE8834A896EEE69DAE0E0D43B37289FCCBA35CEF29EC
SHA-512:	EB3E37A3C3FF8A65DEF6FA20941C8672A8197A41977E35AE2DC6551B5587B84C2703758320559F2C93C0531AD5C9D0F6C36EC5037669DC5CE78EB3367D89877B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PK..1%..1%..1%..I...1%.D$..1%.I$..1%..1$..1%.D ..1%.D!..1%.D&..1%..D-..1%..D%..1%..D...1%..D'..1%.Rich.1%.........................PE..d...X..f.........." .....6...................................................0............`.................................................\...d...............l............ ..0... ...............................@...8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...H...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_des3.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.252429732285762
Encrypted:	false
SSDEEP:	384:J4cmHBeIzNweVy/CHkRnYcZiGKdZHDLq80vnKAnKBrZGsURygUX:GEO6CHnX0vZb7
MD5:	DECF524B2D53FCD7D4FA726F00B3E5FC
SHA1:	E87C6ED4004F2772B888C5B5758AA75FE99D2F6F
SHA-256:	58F7053EE70467D3384C73F299C0DFD63EEF9744D61D1980D9D2518974CA92D4
SHA-512:	EAFF4FD80843743E61CE635FBADF4E5D9CF2C3E97F3C48350BD9E755F4423AC6867F9FE8746BD5C54E1402B18E8A55AEEF7ACA098C7CF4186DC4C1235EB35DF2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PK..1%..1%..1%..I...1%.D$..1%.I$..1%..1$..1%.D ..1%.D!..1%.D&..1%..D-..1%..D%..1%..D...1%..D'..1%.Rich.1%.........................PE..d...X..f.........." .....8...................................................0............`.....................................................d............................ ..0... ...............................@...8............P...............................text...X7.......8.................. ..`.rdata......P.......<..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_ecb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.690163963718492
Encrypted:	false
SSDEEP:	192:Yddz2KTnThIz0qfteRY4zp+D3PLui8p1cqgHCWt:k2E9RqfCXp+D3juRpLgiWt
MD5:	80BB1E0E06ACAF03A0B1D4EF30D14BE7
SHA1:	B20CAC0D2F3CD803D98A2E8A25FBF65884B0B619
SHA-256:	5D1C2C60C4E571B88F27D4AE7D22494BED57D5EC91939E5716AFA3EA7F6871F6
SHA-512:	2A13AB6715B818AD62267AB51E55CD54714AEBF21EC9EA61C2AEFD56017DC84A6B360D024F8682A2E105582B9C5FE892ECEBD2BEF8A492279B19FFD84BC83FA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...X..f.........." ................P........................................p............`.........................................0'.......'..P....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_eksblowfish.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	6.1215844022564285
Encrypted:	false
SSDEEP:	384:nUX0JfbRwUtPMbNv37t6K5jwbDEpJgLa0Mp8xCkgJrAm:jNbRw8EbxwKBwbD+gLa1nh
MD5:	3727271FE04ECB6D5E49E936095E95BC
SHA1:	46182698689A849A8C210A8BF571D5F574C6F5B1
SHA-256:	3AF5B35DCD5A3B6C7E88CEE53F355AAFFF40F2C21DABD4DE27DBB57D1A29B63B
SHA-512:	5BED1F4DF678FE90B8E3F1B7C4F68198463E579209B079CB4A40DCAC01CE26AA2417DBE029B196F6F2C6AFAD560E2D1AF9F089ABE37EAD121CA10EE69D9659ED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." .....(...0......P.....................................................`.........................................0Y.......Y..d............p..................0....Q...............................R..8............@...............................text...H'.......(.................. ..`.rdata.......@... ...,..............@..@.data...H....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..0............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_ocb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.293810509074883
Encrypted:	false
SSDEEP:	384:4PHoDUntQjNB+/yw/pogeXOvXoTezczOo3p9iJgDQ3iNgnVbwhA:dUOhBcDRogeXOfoTezcio3pUJgDQ3i+
MD5:	78AEF441C9152A17DD4DC40C7CC9DF69
SHA1:	6BB6F8426AFA6522E647DFC82B1B64FAF3A9781F
SHA-256:	56E4E4B156295F1AAA22ECB5481841DE2A9EB84845A16E12A7C18C7C3B05B707
SHA-512:	27B27E77BE81B29D42359FE28531225383860BCD19A79044090C4EA58D9F98009A254BF63585979C60B3134D47B8233941ABB354A291F23C8641A4961FA33107
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...Y..f.........." .....(... ......P.....................................................`.........................................pI......lJ..d....p.......`..................(....A...............................A..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..(............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Cipher\_raw_ofb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	4.862619033406922
Encrypted:	false
SSDEEP:	96:0Ga+F/1NtJ9t4udqaj01rlALnNNJSS2sP+YEdMN+F9FdKaWDULk+VOmWbucX6gR7:PF/1n7Guqaj0ktfEON+bMDUlJcqg0Gd
MD5:	19E0ABF76B274C12FF624A16713F4999
SHA1:	A4B370F556B925F7126BF87F70263D1705C3A0DB
SHA-256:	D9FDA05AE16C5387AB46DC728C6EDCE6A3D0A9E1ABDD7ACB8B32FC2A17BE6F13
SHA-512:	D03033EA5CF37641FBD802EBEB5019CAEF33C9A78E01519FEA88F87E773DCA92C80B74BA80429B530694DAD0BFA3F043A7104234C7C961E18D48019D90277C8E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...Y..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......$..............@....pdata..X....P.......&..............@..@.rsrc........`.......*..............@..@.reloc..(....p.......,..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_BLAKE2b.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.227045547076371
Encrypted:	false
SSDEEP:	192:saF/1n7Guqaj0ktrE8o2o+V2rQnjt1wmg9jtveDn4clG6VcqgOvgdd:swGXkFE8Zo+AojO9jZeDf5rgOvgz
MD5:	309D6F6B0DD022EBD9214F445CAC7BB9
SHA1:	ABD22690B7AD77782CFC0D2393D0C038E16070B0
SHA-256:	4FBE188C20FB578D4B66349D50AA6FFE4AB86844FB6427C57738F36780D1E2E2
SHA-512:	D1951FE92F83E7774E8E877815BED6E6216D56EF18B7F1C369D678CB6E1814243659E9FA7ABC0D22FB5B34A9D50A51D5A89BA00AE1FDD32157FD0FF9902FB4B7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..@............p..(....2...............................2..8............0...............................text...x........................... ..`.rdata.......0....... ..............@..@.data...H....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_BLAKE2s.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.176369829782773
Encrypted:	false
SSDEEP:	192:rF/1n7Guqaj0ktrESsrUW+SBjsK5tcQmEreD2mf1AoxkVcqgOvgXQ:rGXkFE/UW575tA2eDp1Ao2rgOvgX
MD5:	D54FEB9A270B212B0CCB1937C660678A
SHA1:	224259E5B684C7AC8D79464E51503D302390C5C9
SHA-256:	032B83F1003A796465255D9B246050A196488BAC1260F628913E536314AFDED4
SHA-512:	29955A6569CA6D039B35BB40C56AEEB75FC765600525D0B469F72C97945970A428951BAB4AF9CD21B3161D5BBA932F853778E2674CA83B14F7ABA009FA53566F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..@............p..(....2...............................2..8............0...............................text...h........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata..@....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_MD2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.047563322651927
Encrypted:	false
SSDEEP:	384:6alCvH32p3/2pnEhKnLg9yH8puzoFaPERIQAvHD9CIg5kP:5CvHmp3OpnEhmLg9yH8puzoFaPERIQgI
MD5:	52DCD4151A9177CF685BE4DF48EA9606
SHA1:	F444A4A5CBAE9422B408420115F0D3FF973C9705
SHA-256:	D54375DC0652358A6E4E744F1A0EAEEAD87ACCD391A20D6FF324FE14E988A122
SHA-512:	64C54B89F2637759309ECC6655831C3A6755924ED70CBC51614061542EB9BA9A8AECF6951EB3AB92447247DC4D7D846C88F4957DBBE4484A9AB934343EE27178
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...Q..f.........." ......... ......P.....................................................`.........................................@9.......9..d....`.......P..(............p..(....2...............................2..8............0...............................text...X........................... ..`.rdata..@....0......................@..@.data...x....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_MD4.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.09893680790018
Encrypted:	false
SSDEEP:	192:xsiXeqVb0lwbH4P01sAD7I/9hAkwDWzBEbcqgqLg:valqH4M1sAD7KvpwDFtgqLg
MD5:	F929B1A3997427191E07CF52AC883054
SHA1:	C5EA5B68586C2FB09E5FDD20D4DD616D06F5CBA6
SHA-256:	5386908173074FABD95BF269A9DF0A4E1B21C0576923186F449ABF4A820F6A8E
SHA-512:	2C79DBCE2C21214D979AB86DD989D41A3AFA7FCB7F3B79BA9974E2EE8F832DD7CA20C1C87C0C380DB037D776FE6D0851D60AD55A08AFDE0003B7E59214DD2F3B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ................P.....................................................`.........................................08.......8..d....`.......P..(............p..(....1...............................2..8............0...............................text............................... ..`.rdata..0....0......................@..@.data........@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_MD5.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.451865349855574
Encrypted:	false
SSDEEP:	384:KfwogDHER1wuiDSyoGTgDZOviNgEPrLg:ugDHELwuiDScTgDwi+EP
MD5:	1FA5E257A85D16E916E9C22984412871
SHA1:	1AC8EE98AD0A715A1B40AD25D2E8007CDC19871F
SHA-256:	D87A9B7CAD4C451D916B399B19298DC46AAACC085833C0793092641C00334B8E
SHA-512:	E4205355B647C6E28B7E4722328F51DC2EB3A109E9D9B90F7C53D7A80A5A4B10E40ABDDAB1BA151E73EF3EB56941F843535663F42DCE264830E6E17BB659EADF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ..... ..........P.....................................................`..........................................8......`9..d....`.......P..X............p..(....1...............................1..8............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..(....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_RIPEMD160.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.104245335186531
Encrypted:	false
SSDEEP:	192:3F/1n7Guqaj0kt7/Ev9kt0Qwac6QzD8iD0QocqgI4G0S:nGXkd/EvGt9wacNDvAgI4v
MD5:	FAD578A026F280C1AE6F787B1FA30129
SHA1:	9A3E93818A104314E172A304C3D117B6A66BEB55
SHA-256:	74A1FF0801F4704158684267CD8E123F83FB6334FE522C1890AC4A0926F80AB1
SHA-512:	ACF8F5B382F3B4C07386505BBDCAF625D13BCC10AA93ED641833E3548261B0AD1063E2F59BE2FCD2AFAF3D315CB3FC5EB629CEFC168B33CFD65A3A6F1120F7FF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ......... ......P.....................................................`..........................................9.......:..d....`.......P...............p..(...@3..............................`3..8............0...............................text...H........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata.......P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_SHA1.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.671305741258107
Encrypted:	false
SSDEEP:	384:APHoDUntQj0sKhDOJ+0QPSfu6rofDjiZzgE+kbwb:VUOYsKNO466DjoUE+
MD5:	556E6D0E5F8E4DA74C2780481105D543
SHA1:	7A49CDEF738E9FE9CD6CD62B0F74EAD1A1774A33
SHA-256:	247B0885CF83375211861F37B6DD1376AED5131D621EE0137A60FE7910E40F8B
SHA-512:	28FA0CE6BDBCC5E95B80AADC284C12658EF0C2BE63421AF5627776A55050EE0EA0345E30A15B744FC2B2F5B1B1BBB61E4881F27F6E3E863EBAAEED1073F4CDA1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h..9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ...............P.....................................................`..........................................H......hI..d....p.......`..X...............(....A...............................A..8............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........P.......<..............@....pdata..X....`.......>..............@..@.rsrc........p.......B..............@..@.reloc..(............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_SHA224.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.878701941774916
Encrypted:	false
SSDEEP:	384:EJWo4IRCGHX1KXqHGcvYHp5RYcARQOj4MSTjqgPmJD1OhgkxEv:EcIRnHX1P/YtswvaD1Rk
MD5:	2F2655A7BBFE08D43013EDDA27E77904
SHA1:	33D51B6C423E094BE3E34E5621E175329A0C0914
SHA-256:	C734ABBD95EC120CB315C43021C0E1EB1BF2295AF9F1C24587334C3FCE4A5BE1
SHA-512:	8AF99ACC969B0E560022F75A0CDCAA85D0BDEADADEACD59DD0C4500F94A5843EA0D4107789C1A613181B1F4E5252134A485EF6B1D9D83CDB5676C5FEE4D49B90
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...S..f.........." .....6... ......P.....................................................`.........................................@Z......([..d............p..................(....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..x....P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..(............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_SHA256.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.881781476285865
Encrypted:	false
SSDEEP:	384:EJWo4IRCGHXfKXqHGcvYHp5RYcARQOj4MSTjqgPmJD12gkxEv:EcIRnHXfP/YtswvaD1zk
MD5:	CDE035B8AB3D046B1CE37EEE7EE91FA0
SHA1:	4298B62ED67C8D4F731D1B33E68D7DC9A58487FF
SHA-256:	16BEA322D994A553B293A724B57293D57DA62BC7EAF41F287956B306C13FD972
SHA-512:	C44FDEE5A210459CE4557351E56B2D357FD4937F8EC8EACEAB842FEE29761F66C2262FCBAAC837F39C859C67FA0E23D13E0F60B3AE59BE29EB9D8ABAB0A572BB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...S..f.........." .....6... ......P.....................................................`.........................................@Z......([..d............p..................(....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..x....P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..(............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_SHA384.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.837887867708438
Encrypted:	false
SSDEEP:	768:e839Cc4itui0gel9soFdkO66MlPGXmXcyYDTzks:Ns4u/FZ6nPxMLDvk
MD5:	999D431197D7E06A30E0810F1F910B9A
SHA1:	9BFF781221BCFFD8E55485A08627EC2A37363C96
SHA-256:	AB242B9C9FB662C6F7CB57F7648F33983D6FA3BB0683C5D4329EC2CC51E8C875
SHA-512:	A5DD92DD471ADB44EEFE5919EF9CA3978724E21174DF5B3A9C1F0AB462F928E5A46A460D02417DB7522F5DE3BFEED5EEE6B1EAFAF3E621722E85E72675F7096F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...T..f.........." .....H..."......P.....................................................`..........................................k.......l..d...............................(...pd...............................d..8............`...............................text....F.......H.................. ..`.rdata.......`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_SHA512.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.895310340516013
Encrypted:	false
SSDEEP:	768:lcX9Nf4ttui0gel9soFdkO66MlPGXmXc/vDTOvk:a38u/FZ6nPxM3DAk
MD5:	0931ABBF3AED459B1A2138B551B1D3BB
SHA1:	9EC0296DDAF574A89766A2EC035FC30073863AB0
SHA-256:	1729A0DC6B80CB7A3C07372B98B10D3C6C613EA645240878E1FDE6A992FA06F1
SHA-512:	9F970BB4D10B94F525DDDDE307C7DA5E672BBFB3A3866A34B89B56ADA99476724FD690A4396857182749294F67F36DB471A048789FB715D2A7DAF46917FC1947
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...T..f.........." .....H..."......P.....................................................`.........................................@l......(m..d...............................(....d...............................e..8............`...............................text...hG.......H.................. ..`.rdata..x....`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_ghash_clmul.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.967737129255606
Encrypted:	false
SSDEEP:	192:dMpWt/1nCuqaL0kt7TsEx2fiTgDZqGF0T7cqgkLgJ:k/k1Ts64DDJyBgkLg
MD5:	5F057A380BACBA4EF59C0611549C0E02
SHA1:	4B758D18372D71F0AA38075F073722A55B897F71
SHA-256:	BCB14DAC6C87C24269D3E60C46B49EFFB1360F714C353318F5BBAA48C79EC290
SHA-512:	E1C99E224745B86EE55822C1DBCB4555A11EC31B72D87B46514917EB61E0258A1C6D38C4F592969C17EB4F0F74DA04BCECA31CF1622720E95F0F20E9631792E8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...V..f.........." ................P.....................................................`.........................................P8.......8..d....`.......P...............p..(....1...............................1..8............0...............................text............................... ..`.rdata..2....0......................@..@.data...H....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_ghash_portable.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.007867576025166
Encrypted:	false
SSDEEP:	192:bMt/1nCuqaL0ktPH0T7fwtF4zDn2rGacqgRGd:1/kpU3Yv4zDXqgRGd
MD5:	49BCA1B7DF076D1A550EE1B7ED3BD997
SHA1:	47609C7102F5B1BCA16C6BAD4AE22CE0B8AEE9E9
SHA-256:	49E15461DCB76690139E71E9359F7FCF92269DCCA78E3BFE9ACB90C6271080B2
SHA-512:	8574D7FA133B72A4A8D1D7D9FDB61053BC88C2D238B7AC7D519BE19972B658C44EA1DE433885E3206927C75DD5D1028F74999E048AB73189585B87630F865466
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...V..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..(....p.......2..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_keccak.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.226023387740053
Encrypted:	false
SSDEEP:	384:rfRKTN+HLjRskTdf4WazSTkwjEvuY2bylHDiYIgovg:mcHfRl5pauoSjy5DiE
MD5:	CB5CFDD4241060E99118DEEC6C931CCC
SHA1:	1E7FED96CF26C9F4730A4621CA9D18CECE3E0BCE
SHA-256:	A8F809B6A417AF99B75EEEEA3ECD16BDA153CBDA4FFAB6E35CE1E8C884D899C4
SHA-512:	8A89E3563C14B81353D251F9F019D8CBF07CB98F78452B8522413C7478A0D77B9ABF2134E4438145D6363CDA39721D2BAE8AD13D1CDACCBB5026619D95F931CF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...U..f.........." ..... ... ......P.....................................................`..........................................9.......9..d....`.......P..X............p..(...p2...............................2..8............0...............................text............ .................. ..`.rdata..@....0.......$..............@..@.data........@.......4..............@....pdata..X....P.......6..............@..@.rsrc........`.......:..............@..@.reloc..(....p.......<..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Hash\_poly1305.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.262055670423592
Encrypted:	false
SSDEEP:	192:C/ZN2eq/b04PAHH41F6fnVS0sVn+5CA5Z1cD66WGcqgFjLg:vI4IHHaQfSVnCZyDImgFjLg
MD5:	18D2D96980802189B23893820714DA90
SHA1:	5DEE494D25EB79038CBC2803163E2EF69E68274C
SHA-256:	C2FD98C677436260ACB9147766258CB99780A007114AED37C87893DF1CF1A717
SHA-512:	0317B65D8F292332C5457A6B15A77548BE5B2705F34BB8F4415046E3E778580ABD17B233E6CC2755C991247E0E65B27B5634465646715657B246483817CACEB7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...V..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..\|............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......."..............@..@.data........@.......0..............@....pdata..\|....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..(....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Math\_modexp.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.913843738203007
Encrypted:	false
SSDEEP:	384:dspbXtHQY4ubrttQza9CHnZXQsnecAlOF0qZLAXxQI3Sya6XPpMg3Yx8MnDcCPSq:7Y44UagH6cAFCLUSYpMg3YDzPo5kG9G
MD5:	EF472BA63FD22922CA704B1E7B95A29E
SHA1:	700B68E7EF95514D5E94D3C6B10884E1E187ACD8
SHA-256:	66EEF4E6E0CEEEF2C23A758BFBEDAE7C16282FC93D0A56ACAFC40E871AC3F01C
SHA-512:	DC2060531C4153C43ABF30843BCB5F8FA082345CA1BB57F9AC8695EDDB28FF9FDA8132B6B6C67260F779D95FCADCAE2811091BCA300AB1E041FAE6CC7B50ABD8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...^..f.........." .....`...0......`.....................................................`..........................................~..\|...L...d...............<...............(....q...............................q..8............p..(............................text...X^.......`.................. ..`.rdata.......p.......d..............@..@.data................x..............@....pdata..<...........................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Protocol\_scrypt.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.735350805948923
Encrypted:	false
SSDEEP:	192:rhsC3eqv6b0q3OQ3rHu5bc64OhD2I/p3cqgONLg:r/Hq3jHuY64OhDJJgONLg
MD5:	3B1CE70B0193B02C437678F13A335932
SHA1:	063BFD5A32441ED883409AAD17285CE405977D1F
SHA-256:	EB2950B6A2185E87C5318B55132DFE5774A5A579259AB50A7935A7FB143EA7B1
SHA-512:	0E02187F17DFCFD323F2F0E62FBFE35F326DCF9F119FC8B15066AFAEEE4EB7078184BC85D571B555E9E67A2DD909EC12D8A67E3D075E9B1283813EF274E05C0D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^:.6?T.6?T.6?T.?G..2?T.dJU.4?T.}GU.5?T.6?U..?T.dJQ.<?T.dJP.>?T.dJW.5?T..J\.7?T..JT.7?T..J..7?T..JV.7?T.Rich6?T.........................PE..d...Z..f.........." ................P.....................................................`..........................................8..d....8..d....`.......P..4............p..(....1...............................1..8............0...............................text...H........................... ..`.rdata..0....0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..(....p......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\PublicKey\_curve25519.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	5.705606408072877
Encrypted:	false
SSDEEP:	384:19BcRxBmau38CYIl9bhgIW0mvufueNr359/tjGGDEFSegqrA:NcRy38J+9dmvufFtaGDV
MD5:	FF33C306434DEC51D39C7BF1663E25DA
SHA1:	665FCF47501F1481534597C1EAC2A52886EF0526
SHA-256:	D0E3B6A2D0E073B2D9F0FCDB051727007943A17A4CA966D75EBA37BECDBA6152
SHA-512:	66A909DC9C3B7BD4050AA507CD89B0B3A661C85D33C881522EC9568744953B698722C1CBFF093F9CBCD6119BD527FECAB05A67F2E32EC479BE47AFFA4377362C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...\..f.........." .....6...$......P.....................................................`.........................................`Y......`Z..d............p..................(....R..............................0R..8............P...............................text...(5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......P..............@..@.rsrc................T..............@..@.reloc..(............V..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\PublicKey\_curve448.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	6.0189903352673655
Encrypted:	false
SSDEEP:	1536:Jfju4GgRMgWWnEDZiECgd/iwOXUQdbhov0Clb8Cx4hpK8ithLFIDullRPwDHxXOa:pXRMgWiEDZiECgd/iwOXUQdbhov0ClbU
MD5:	F267BF4256F4105DAD0D3E59023011ED
SHA1:	9BC6CA0F375CE49D5787C909D290C07302F58DA6
SHA-256:	1DDE8BE64164FF96B2BAB88291042EB39197D118422BEE56EB2846E7A2D2F010
SHA-512:	A335AF4DBF1658556ED5DC13EE741419446F7DAEC6BD2688B626A803FA5DD76463D6367C224E0B79B17193735E2C74BA417C26822DAEEF05AC3BAB1588E2DE83
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...\..f.........." .........8......`........................................P............`.............................................0.......d....0....... ..$............@..(.......................................8............................................text...8........................... ..`.rdata..............................@..@.data...............................@....pdata..$.... ......................@..@.rsrc........0......................@..@.reloc..(....@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\PublicKey\_ec_ws.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	770560
Entropy (8bit):	7.613224993327352
Encrypted:	false
SSDEEP:	12288:XtIrHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h:XtIrHoxJFf1p34hcrn5Go9yQO6
MD5:	1EFD7F7CB1C277416011DE6F09C355AF
SHA1:	C0F97652AC2703C325AB9F20826A6F84C63532F2
SHA-256:	AB45FA80A68DB1635D41DC1A4AAD980E6716DAC8C1778CB5F30CDB013B7DF6E6
SHA-512:	2EC4B88A1957733043BBD63CEAA6F5643D446DB607B3267FAD1EC611E6B0AF697056598AAC2AE5D44AB2B9396811D183C32BCE5A0FF34E583193A417D1C5226B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.. .. .. ... .. ..!.. ..!.. .. .. ..!.. ..!.. ..!.. \..!.. \..!.. \.r .. \..!.. Rich.. ................PE..d...[..f.........." ................`.....................................................`.............................................h.......d...............................0......................................8...............(............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\PublicKey\_ed25519.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26112
Entropy (8bit):	5.8551858881598795
Encrypted:	false
SSDEEP:	384:BczadRwoF2MZ81n0XTyMCYIl9bhgIW0mv8aeadRcwRwftjGLD2pRQNgQQ77k:2udRf2MuMJ+9dmv8aea34taLDcfQ
MD5:	C5FB377F736ED731B5578F57BB765F7A
SHA1:	5BA51E11F4DE1CAEDEBA0F7D4D10EC62EC109E01
SHA-256:	32073DF3D5C85ABCE7D370D6E341EF163A8350F6A9EDC775C39A23856CCFDD53
SHA-512:	D361BCDAF2C700D5A4AC956D96E00961432C05A1B692FC870DB53A90F233A6D24AA0C3BE99E40BD8E5B7C6C1B2BCDCDCFC545292EF321486FFC71C5EA7203E6A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...]..f.........." .....B...&......P.....................................................`..........................................i..0....k..d...............................(... b..............................@b..8............`...............................text....A.......B.................. ..`.rdata..P....`.......F..............@..@.data........p.......V..............@....pdata...............^..............@..@.rsrc................b..............@..@.reloc..(............d..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\PublicKey\_ed448.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84992
Entropy (8bit):	6.064677498000638
Encrypted:	false
SSDEEP:	1536:BrYNvxcZeLrIeNs2qkTwe57DsuP45PqAqVDK9agdUiwOXyQdDrov0slb8gx4TBKW:Br4vxcZeLrIeN1TvHsuP45yAqVDK9ag3
MD5:	8A0C0AA820E98E83AC9B665A9FD19EAF
SHA1:	6BF5A14E94D81A55A164339F60927D5BF1BAD5C4
SHA-256:	4EE3D122DCFFE78E6E7E76EE04C38D3DC6A066E522EE9F7AF34A09649A3628B1
SHA-512:	52496AE7439458DEDB58A65DF9FFDCC3A7F31FC36FE7202FB43570F9BB03ABC0565F5EF32E5E6C048ED3EBC33018C19712E58FF43806119B2FB5918612299E7E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...^..f.........." .........8......`.....................................................`..........................................C..h...HE..d....p.......`..l...............(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata..l....`.......>..............@..@.rsrc........p.......H..............@..@.reloc..(............J..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Util\_cpuid_c.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.675380950473425
Encrypted:	false
SSDEEP:	96:frQRpBddzAvzrqTOy/ThIz014mlxuLnkC75JiSBhsPeSztllIDpqf4AZaRcX6gnO:Qddz2KTnThIz0qfteRIDgRWcqgnCWt
MD5:	44B930B89CE905DB4716A548C3DB8DEE
SHA1:	948CBFF12A243C8D17A7ACD3C632EE232DF0F0ED
SHA-256:	921C2D55179C0968535B20E9FD7AF55AD29F4CE4CF87A90FE258C257E2673AA5
SHA-512:	79DF755BE8B01D576557A4CB3F3200E5EE1EDE21809047ABB9FF8D578C535AC1EA0277EDA97109839A7607AF043019F2C297E767441C7E11F81FDC87FD1B6EFC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...X..f.........." ................P........................................p............`.........................................@'..\|....'..P....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Crypto\Util\_strxor.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.625428549874022
Encrypted:	false
SSDEEP:	96:flipBddzAvzrqTOy/ThIz014mlxuLnkC75JiSBhsPeSzteXuDVZqYNIfcX6gHCWx:Cddz2KTnThIz0qfteR5DVwYkcqgHCWt
MD5:	F24F9356A6BDD29B9EF67509A8BC3A96
SHA1:	A26946E938304B4E993872C6721EB8CC1DCBE43B
SHA-256:	034BB8EFE3068763D32C404C178BD88099192C707A36F5351F7FDB63249C7F81
SHA-512:	C4D3F92D7558BE1A714388C72F5992165DD7A9E1B4FA83B882536030542D93FDAD9148C981F76FFF7868192B301AC9256EDB8C3D5CE5A1A2ACAC183F96C1028B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...Z..f.........." ................P........................................p............`......................................... '..t....'..P....P.......@...............`..(....!...............................!..8............ ...............................text...h........................... ..`.rdata..`.... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_ARC4.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.704418348721006
Encrypted:	false
SSDEEP:	96:nDzsc9VD9daQ2iTrqT+6Zdp/Q0I1uLfcC75JiC4Rs89EcYyGDj90OcX6gY/7ECFV:Dzs69damqTrpYTst0E5DjPcqgY/79X
MD5:	85F144F57905F68ECBF14552BAB2F070
SHA1:	83A20193E6229EA09DCCAE8890A74DBDD0A76373
SHA-256:	28696C8881D9C9272DE4E54ABE6760CD4C6CB22AD7E3FEABAF6FF313EC9A9EAF
SHA-512:	533EB4073594BFE97850DFF7353439BACD4E19539E247EE00D599F3468E162D2D88C5CA32322772538A73706DF9A6DD14553B35F47C686D2E20D915FAB766BDA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d...O..e.........." ...%............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_Salsa20.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.968532257508093
Encrypted:	false
SSDEEP:	96:JF3rugNlF/1Nt5aSd4+1ijg0NLfFNJSCqsstXHTeH5ht47qMbxbfDq4wYH/kcX6G:tF/1nb2mhQtkXHTeZ87VDqyMcqgYvEp
MD5:	14A20ED2868F5B3D7DCFEF9363CB1F32
SHA1:	C1F2EF94439F42AA39DCDE1075DEFAC8A6029DC6
SHA-256:	A072631CD1757D5147B5E403D6A96EF94217568D1DC1AE5C67A1892FBF61409E
SHA-512:	33BE8B3733380C3ADFE5D2844819C754FB11FCBC7AA75DA8FBB4D6CEF938E7D3267FBD215B9666DCFA5795D54484360A61DAF193BC75B57C252D44E5F9F0D855
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...P..e.........." ...%............P.....................................................`..........................................8......x9..d....`.......P..L............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..L....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_chacha20.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.061520684813544
Encrypted:	false
SSDEEP:	192:cdF/1nb2mhQtkXn0t/WS60YYDEbqvdvGyv9lkVcqgYvEMo:e2f6XSZ6XYD5vdvGyv9MgYvEMo
MD5:	E2AB7EECFD020CFDEBA6DD3ADD732EB7
SHA1:	26975087F7AC8001830CAD4151003DBCABF82126
SHA-256:	85BCF0FD811ADE1396E3A93EEEF6BC6B88D5555498BA09C164FAA3092DACDEFF
SHA-512:	EB45126A07128E0FA8DC2B687F833BA95BB8703D7BC06E5C34F828EAEF062CFCA56D8A51A73B20DFA771595F6C6D830B659B5C0EB62467C61E95C97C4A73398D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...P..e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..d............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_pkcs1_decode.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.236611028290556
Encrypted:	false
SSDEEP:	192:osiHXqpoUol3xZhRyQX5lDnRDFFav+tcqgRvE:K6D+XBDfDgRvE
MD5:	7FA5B1642D52FABFE1D3EBD1080056D4
SHA1:	56B9E87D613EE9A8B6B71A93ED5FA1603886139A
SHA-256:	88C7EC96B9E1D168005B3A8727AAA7F76B4B2985083ED7A9FB0A2AB02446E963
SHA-512:	9E0BF47060A2B7AC8FFD2CB8B845D44013C068BFE74926A67496D79BCB513506625BDA1DDF18ECE7777D1379F036506F19457D0A43FA618A8F75664C47798E64
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...........R......U.....R............U......U......U................}.........Rich...........................PE..d...N..e.........." ...%............P.....................................................`..........................................9.......9..d....`.......P..\|............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@.......,..............@....pdata..\|....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_aes.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	6.558039926510444
Encrypted:	false
SSDEEP:	384:Dz5P+7nYpPMedFDlDchrVX1mEVmT9ZgkoD/PKDkGuF0U390QOo8VdbKBWmuTLg46:DzdqWB7YJlmLJ3oD/S4j990th9VTsC
MD5:	E63FC8375E1D8C47FBB84733F38A9552
SHA1:	995C32515AA183DA58F970CEDC6667FAE166615A
SHA-256:	F47F9C559A9C642DA443896B5CD24DE74FED713BDF6A9CD0D20F5217E4124540
SHA-512:	4213189F619E7AA71934033CABA401FE93801B334BA8D8EAFEDA89F19B13224C516E4BB4F4F93F6AE2C21CD8F5586D3FFAC3D16CB1242183B9302A1F408F6F6A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d...L..e.........." ...%.H...H......P.....................................................`.................................................,...d...............................4... ...................................@............`...............................text....F.......H.................. ..`.rdata..d6...`...8...L..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_aesni.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.285246086368036
Encrypted:	false
SSDEEP:	192:jJBjJHEkEPYi3Xd+dc26E4++yuqAyXW9wifD4mqccqgwYUMvEW:ZkRwi3wO26Ef+yuIm9PfDewgwYUMvE
MD5:	A914F3D22DA22F099CB0FBFBBB75DDBF
SHA1:	2834AEB657CA301D722D6D4D1672239C83BE97E3
SHA-256:	4B4DBF841EC939EF9CC4B4F1B1BA436941A3F2AF2F4E34F82C568DFC09BA0358
SHA-512:	15BF5FCE53FB2C524054D02C2E48E3DDC4EAC0C1F73325D58B04DFE17259C208FFAC0A7C634FBC2CF1A08E7F28C1FD456061BA0838F4316EB37514E1E8D4C95F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........TX..:...:...:.....:..;...:...;...:...;...:..?...:..>...:..9...:..R2...:..R:...:..R....:..R8...:.Rich..:.................PE..d...L..e.........." ...%. ... ......P.....................................................`..........................................9......D:..d....`.......P...............p..,....3...............................1..@............0.. ............................text...h........ .................. ..`.rdata.......0.......$..............@..@.data...(....@.......4..............@....pdata.......P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_arc2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.505232918566824
Encrypted:	false
SSDEEP:	192:9d9VkyQ5f8vjVaCHpKpTTjaNe7oca2DWZQ2dhmdcqgwNeecBih:rkP5cjIGpKlqD2DakzgwNeE
MD5:	9F1A2A9D731E7755EE93C82C91FA5FE2
SHA1:	41085FBE84E1B98A795871033034FA1F186274EF
SHA-256:	17F3EAF463868B015583BD611BE5251E36AAB616522FF4072011B3D72F6F552F
SHA-512:	7E29D4729837D87AEF34CFA7B1F86DFBB81907CD11FC575C4ED1B8A956409492315BFA76ADE4D7C51E51E37E5D098A7F4FEE4C58D86D0E6245A4AA0D392D488A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...L..e.........." ...%."... ......P.....................................................`.........................................0J.......J..d....p.......`..................,....C...............................B..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...8....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_blowfish.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20992
Entropy (8bit):	6.061115794354147
Encrypted:	false
SSDEEP:	384:pUv5cJMOZA0nmwBD+XpJgLa0Mp8QHg4P2llyM:GK1XBD+DgLa1gTi
MD5:	883DE82B3B17F95735F579E78A19D509
SHA1:	3EC7259ACA3730B2A6F4E1CA5121DB4AB41C619E
SHA-256:	67FF6C8BBDC9E33B027D53A26DF39BA2A2AD630ACCE1BAC0B0583CA31ADF914F
SHA-512:	602915EAA0933F5D1A26ECC1C32A8367D329B12794CBF2E435B1704E548858E64710AB52BC6FC14FC98DF0B8EEBDE2B32A35BCF935079CC8E2412C07DF5303FD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...L..e.........." ...%.$...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text....".......$.................. ..`.rdata..L....@... ...(..............@..@.data...8....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..4............P..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_cast.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25088
Entropy (8bit):	6.475398255636883
Encrypted:	false
SSDEEP:	384:Zc6HLZiMDFuGu+XHZXmrfXA+UA10ol31tuXy7IYgLWi:q6H1TZXX5XmrXA+NNxWi0dLWi
MD5:	0AC22DA9F0B2F84DE9D2B50D457020C1
SHA1:	682E316AE958121D0E704CAB0F78CCAD42C77573
SHA-256:	480C79C713AD15328E9EB9F064B90BCDCB5AAD149236679F97B61218F6D2D200
SHA-512:	11C04D55C5E73583D658E0918BD5A37C7585837A6E0F3C78AEF10A5D7A5C848B0620028177A9D9B0AD5DB882B2A26624F92BEFC9BC8F8A23C002723E50DD80A5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...M..e.........." ...%.$...@............................................................`.........................................@i.......i..d...............................4....b...............................a..@............@...............................text....#.......$.................. ..`.rdata.......@...0...(..............@..@.data...8....p.......X..............@....pdata...............Z..............@..@.rsrc................^..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_cbc.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.839420412830416
Encrypted:	false
SSDEEP:	192:CF/1nb2mhQtkr+juOxKbDbRHcqgYvEkrK:42f6iuOsbDXgYvEmK
MD5:	6840F030DF557B08363C3E96F5DF3387
SHA1:	793A8BA0A7BDB5B7E510FC9A9DDE62B795F369AE
SHA-256:	B7160ED222D56925E5B2E247F0070D5D997701E8E239EC7F80BCE21D14FA5816
SHA-512:	EDF5A4D5A3BFB82CC140CE6CE6E9DF3C8ED495603DCF9C0D754F92F265F2DCE6A83F244E0087309B42930D040BF55E66F34504DC1C482A274AD8262AA37D1467
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...N..e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_cfb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	4.905258571193623
Encrypted:	false
SSDEEP:	192:fRgPX8lvI+KnwSDTPUDEnKWPXcqgzQkvEd:4og9rUD/mpgzQkvE
MD5:	7256877DD2B76D8C6D6910808222ACD8
SHA1:	C6468DB06C4243CE398BEB83422858B3FED76E99
SHA-256:	DBF703293CFF0446DFD15BBAEDA52FB044F56A353DDA3BECA9AADD8A959C5798
SHA-512:	A14D460D96845984F052A8509E8FC44439B616EEAE46486DF20F21CCAA8CFB1E55F1E4FA2F11A7B6AB0A481DE62636CEF19EB5BEF2591FE83D415D67EB605B8E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K............RQ.....U.....R............U......U......U..................=..........Rich...................PE..d...N..e.........." ...%..... ......P.....................................................`..........................................9.......9..d....`.......P..d............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_ctr.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.300728193650235
Encrypted:	false
SSDEEP:	192:jGYJ1gSHxKkwv0i8XSi3Sm57NEEE/qexUEtDr6krRcqgUF6+6vEX:jR01si8XSi3SACqe7tDlDgUUjvE
MD5:	B063D73E5AA501060C303CAFBC72DAD3
SHA1:	8C1CA04A8ED34252EB233C993DDBA17803E0B81E
SHA-256:	98BACA99834DE65FC29EFA930CD9DBA8DA233B4CFDFC4AB792E1871649B2FE5C
SHA-512:	8C9AD249F624BDF52A3C789C32532A51D3CC355646BD725553A738C4491EA483857032FB20C71FD3698D7F68294E3C35816421DFF263D284019A9A4774C3AF05
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K,..B..B..B..R...B..UC..B.RC..B..C..B..UG..B..UF..B..UA..B..J..B..B..B....B..@..B.Rich.B.........................PE..d...O..e.........." ...%..... ......P.....................................................`..........................................9......x:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_des.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57856
Entropy (8bit):	4.260136375669177
Encrypted:	false
SSDEEP:	384:9RUqVT1dZ/GHkJnYcZiGKdZHDLtiduprZvZY0JAIg+v:9rHGHfJidIK
MD5:	3AEA5302F7F03EDEFF49D1C119C61693
SHA1:	DBDDE1C10B253744153FC1F47C078AAACCF3F3A6
SHA-256:	E5DDA67D4DF47B7F00FF17BE6541CA80BDB4B60E1F6FD1A7D7F115DDF7683EE5
SHA-512:	DD42C24EDAF7E1B25A51BC8C96447496B3289C612C395CA7BD8BF60A162229C2E0CA0432CDDF1CB2D65D80189DB02BEE42FFD0E7DD9E5FC19278CA3FD593AB2C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d...M..e.........." ...%.8...................................................0............`.....................................................d...............l............ ..4...................................@...@............P...............................text....7.......8.................. ..`.rdata..f....P.......<..............@..@.data...8...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_des3.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58368
Entropy (8bit):	4.276947153784193
Encrypted:	false
SSDEEP:	384:98Uqho9weF5/eHkRnYcZiGKdZHDL7idErZ8ZYXGg:9gCneH//idv2
MD5:	BA5BA714AEBFD8130EB6E0983FBAE20B
SHA1:	3309C26A9083EC3AD982DD3D6630FCC16465F251
SHA-256:	861167DFEB390261E538D635EAD213E81C1166D8D85A496774FBF2EBFF5A4332
SHA-512:	309CC3FD8DB62517AE70B404C5ACD01052F10582A17123135CD1A28D3A74AB28F90A8E7ED7D2061A4B6C082F85E98DA822D43986FC99367B288A72BA9F8B5569
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d...N..e.........." ...%.:...................................................0............`.................................................P...d............................ ..4...................................@...@............P...............................text...x9.......:.................. ..`.rdata.......P.......>..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_ecb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.579354442149926
Encrypted:	false
SSDEEP:	96:j0qVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EpmFWLOXDwoYPj15XkcX6gbW6z:pVddiT7pgTctEEI4qXDe11kcqgbW6
MD5:	1C74E15EC55BD8767968024D76705EFC
SHA1:	C590D1384D2207B3AF01A46A5B4F7A2AE6BCAD93
SHA-256:	0E3EC56A1F3C86BE1CAA503E5B89567AA91FD3D6DA5AD4E4DE4098F21270D86B
SHA-512:	E96CA56490FCE7E169CC0AB803975BAA8B5ACB8BBAB5047755AE2EEAE177CD4B852C0620CD77BCFBC81AD18BB749DEC65D243D1925288B628F155E8FACDC3540
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d...N..e.........." ...%............P........................................p............`.........................................p'......((..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_eksblowfish.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	6.143744403797058
Encrypted:	false
SSDEEP:	384:7Uv5cRUtPQtjLJiKMjNrDF6pJgLa0Mp8Qy0gYP2lXCM:UKR8I+K0lDFQgLa1WzU
MD5:	E7826C066423284539BD1F1E99BA0CC6
SHA1:	DA7372EEB180C2E9A6662514A8FA6261E04AC6DC
SHA-256:	0E18B7C2686BB954A8EE310DD5FDB76D00AC078A12D883028BFFC336E8606DA2
SHA-512:	55F8B00B54F3C3E80803D5A3611D5301E29A2C6AF6E2CAA36249AEBA1D4FCC5A068875B34D65106C137F0455F11B20226B48EEF687F5EA73DFEA3C852BF07050
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...M..e.........." ...%.(...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text...X'.......(.................. ..`.rdata..T....@... ...,..............@..@.data...8....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_ocb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.353670931504009
Encrypted:	false
SSDEEP:	384:tPHNP3Mj7Be/yB/6sB3yxcb+IMcOYqQViCBD8Ng6Vf4A:DPcnB8KSsB34cb+bcOYpMCBDB
MD5:	D5DB7192A65D096433F5F3608E5AD922
SHA1:	22AD6B635226C8F6B94F85E4FBFB6F8C18B613C8
SHA-256:	FAB286E26160820167D427A4AAB14BE4C23883C543E2B0C353F931C89CEA3638
SHA-512:	5503E83D68D144A6D182DCC5E8401DD81C1C98B04B5ED24223C77D94B0D4F2DD1DD05AED94B9D619D30D2FE73DFFA6E710664FFC71B8FA53E735F968B718B1D9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...O..e.........." ...%.(... ......P.....................................................`..........................................I.......J..d....p.......`..................,....C...............................A..@............@...............................text....'.......(.................. ..`.rdata..8....@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Cipher\_raw_ofb.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.741875402338703
Encrypted:	false
SSDEEP:	192:sCF/1nb2mhQtkgU7L9D0E7tfcqgYvEJPb:N2f6L9D5JxgYvEJj
MD5:	134F891DE4188C2428A2081E10E675F0
SHA1:	22CB9B0FA0D1028851B8D28DAFD988D25E94D2FD
SHA-256:	F326AA2A582B773F4DF796035EC9BF69EC1AD11897C7D0ECFAB970D33310D6BA
SHA-512:	43CE8AF33630FD907018C62F100BE502565BAD712AD452A327AE166BD305735799877E14BE7A46D243D834F3F884ABF6286088E30533050ED9CD05D23AACAEAB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...O..e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_BLAKE2b.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.213290591994899
Encrypted:	false
SSDEEP:	192:oF/1nb2mhQtkRySMfJ2ycxFzShJD9dAal2QDeJKcqgQx2QY:C2fKRQB2j8JD4fJagQx2QY
MD5:	7D6979D69CD34652D5A3A197300AB65C
SHA1:	E9C7EF62B7042B3BAC75B002851C41EFEEE343CE
SHA-256:	2365B7C2AF8BBAC3844B7BEF47D5C49C234A159234A153515EB0634EEC0557CC
SHA-512:	CBDBE0DF4F6CB6796D54969B0EEF06C0CDA86FF34A2B127BF0272C819FB224D6E5393D5C9B31E53A24EAC9A3A1AEA6E0854A8D7911CF7C4C99292C931B8B05DF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...J..e.........." ...%..... ......P.....................................................`..........................................9......\|:..d....`.......P..@............p..,....3...............................2..@............0...............................text...X........................... ..`.rdata.......0....... ..............@..@.data...8....@.......0..............@....pdata..@....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_BLAKE2s.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.181893965844124
Encrypted:	false
SSDEEP:	192:cF/1nb2mhQt7fSOp/CJPvADQoKtxSOvbcqgEvcM+:22fNKOZWPIDMxVlgEvL
MD5:	C3BA97B2D8FFFDB05F514807C48CABB2
SHA1:	7BC7FBDE6A372E5813491BBD538FD49C0A1B7C26
SHA-256:	4F78E61B376151CA2D0856D2E59976670F5145FBABAB1EEC9B2A3B5BEBB4EEF6
SHA-512:	57C1A62D956D8C6834B7BA81C2D125A40BF466E833922AE3759CF2C1017F8CAF29F4502A5A0BCBC95D74639D86BAF20F0335A45F961CFCAC39B4ED81E318F4EB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...K..e.........." ...%..... ......P.....................................................`.........................................09.......9..d....`.......P..@............p..,....3...............................2..@............0...............................text...8........................... ..`.rdata..4....0......................@..@.data...8....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_MD2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.1399121410532445
Encrypted:	false
SSDEEP:	192:HsiHXqpo0cUp8XnUp8XjEQnlDtTI6rcqgcx2:J6DcUp8XUp8AclDy69gcx2
MD5:	BB4CF5E97D4031B47CC7B7DAEDA005DD
SHA1:	4F596DCE9A8546AE22BA8851B22FCE62C2C69973
SHA-256:	325512FF7E0261AF1DA4760C5A8BB8BA7BA8C532F0068D770621CD2CC89E04C6
SHA-512:	93088745BA922918A8EBC20C7043DA4C3C639245547BE665D15625B7F808EC0BF120841ACEEFCE71134921EF8379821769DE35D32CCCC55E6B391C57C7F4D971
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...A..e.........." ...%..... ......P.....................................................`..........................................9......0:..d....`.......P..(............p..,....4...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_MD4.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.204576067987685
Encrypted:	false
SSDEEP:	192:JsiHXqpwUiv6wPf+4WVrd1DFrXqwWwcqgfvE:36biio2Pd1DFrlgfvE
MD5:	D2131380B7760D5BC3C2E1772C747830
SHA1:	DA5838E1C6DF5EC45AC0963E98761E9188A064D0
SHA-256:	6DB786B30F6682CD699E22D0B06B873071DCC569557B6EB6EC1416689C0890FE
SHA-512:	594939FB1D9154E15106D4B4AA9EF51A6AE5062D471ED7C0779A8E3D84D8F4B1481529015E0926A3489119DA37BE6CFE70C70ED695A6E84F6AF8F65402F6AAB5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...B..e.........." ...%............P.....................................................`.........................................p8...... 9..d....`.......P..(............p..,...@3...............................2..@............0...............................text...X........................... ..`.rdata..p....0......................@..@.data...p....@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_MD5.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.4787123381499825
Encrypted:	false
SSDEEP:	192:3Z9WXA7M93g8U7soSchhiLdjM5J6ECTGmDZuRsP0rcqgjPrvE:SQ0gH7zSccA5J6ECTGmDMa89gjPrvE
MD5:	CAF687A7786892939FFF5D5B6730E069
SHA1:	96C2567A770E12C15903767A85ABF8AF57FE6D6A
SHA-256:	9001E0C50D77823D64C1891F12E02E77866B9EDE783CEF52ED4D01A32204781B
SHA-512:	0B3C9E5C1F7EF52E615D9E1E6F7D91324BAB7C97FFAFB6DBAEB229CF1B86420A3534493C34DD9FAEB4BBC3612F245248ABA34393311C31500D827538DFE24BC5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...B..e.........." ...%. ..........P.....................................................`..........................................8.......9..d....`.......P..X............p..,....3...............................1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_RIPEMD160.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	5.69653684522693
Encrypted:	false
SSDEEP:	384:pkP5RjF7GsIyV6Lx41NVYaVmtShQRKAa8+D0ngkov:2nx7RI26LuuHKz8+D5N
MD5:	9762DBF0527A46F21852CA5303E245C3
SHA1:	33333912F16BB755B0631D8308D94DA2D7589127
SHA-256:	0DF91D69B8D585D2660168125E407E3CB3D87F338B3628E5E0C2BF49C9D20DB8
SHA-512:	52687C38939710C90A8C97F2C465AF8CF0309E3939255427B88BC461E27FADA79B0CB31F8BD215F72B610CAC093934C066141B9298353F04CC067C4E68B31DF0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...J..e.........." ...%.... ......P.....................................................`..........................................I.......J..d....p.......`..................,....D..............................PC..@............@...............................text....)......................... ..`.rdata.......@......................@..@.data...8....P.......>..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc..,............F..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_SHA1.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	5.798411671336839
Encrypted:	false
SSDEEP:	384:cPHNP3MjevhSY/8EBbVxcJ0ihTLdFDUPHgj+kf4D:mPcKvr/jUJ0sbDoAj+t
MD5:	74DAAAB71F93BCE184D507A45A88985C
SHA1:	3D09D69E94548EC6975177B482B68F86EDA32BB8
SHA-256:	E781D6DAF2BAAA2C1A45BD1CDDB21BA491442D49A03255C1E367F246F17E13BF
SHA-512:	870EC2752304F12F2F91BE688A34812AC1C75D444A0107284E3C45987639D8D07116EB98DB76931F9C8487666E1B2C163FC5743BBFC5A72F20F040670CDEB509
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...B..e.........." ...%.0..........P.....................................................`..........................................H.......I..d....p.......`..X...............,....C...............................A..@............@...............................text..../.......0.................. ..`.rdata.......@.......4..............@..@.data........P.......B..............@....pdata..X....`.......D..............@..@.rsrc........p.......H..............@..@.reloc..,............J..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_SHA224.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.86552932624144
Encrypted:	false
SSDEEP:	384:V1jwGPJHLvzcY1EEerju9LcTZ6RO3RouLKtcyDNOhwgjxo:XjwyJUYToZwOLuzDNU1j
MD5:	92587A131875FF7DC137AA6195B8BD81
SHA1:	2BA642DDC869AB329893795704BFE3F23C7B6ECB
SHA-256:	D2A9484134A65EFF74F0BDA9BB94E19C4964B6C323667D68B4F45BB8A7D499FC
SHA-512:	62823A0168B415045A093ACC67E98B5E33908380860B04AA0568B04F39DE957DA30F929459C766DC9782EFC3143DCD2F4950E3876669E680B6910C213300B565
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...F..e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_SHA256.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.867427817795374
Encrypted:	false
SSDEEP:	384:b1jwGPJHLxzcY1EEerju9LcTZ6RO3RouLKtcyDNWegjxo:ZjwyJOYToZwOLuzDNW7j
MD5:	B4E18C9A88A241FD5136FAF33FB9C96A
SHA1:	077AF274AA0336880391E2F38C873A72BFC1DE3B
SHA-256:	E50DB07E18CB84827B0D55C7183CF580FB809673BCAFBCEF60E83B4899F3AA74
SHA-512:	81A059115627025A7BBF8743B48031619C13A513446B0D035AA25037E03B6A544E013CAAEB139B1BE9BA7D0D8CF28A5E7D4CD1B8E17948830E75BDFBD6AF1653
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...D..e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_SHA384.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27136
Entropy (8bit):	5.860145427724178
Encrypted:	false
SSDEEP:	384:TFDL3RqE3MjjQ95UnLa+1WT1aA7qHofg5JptfISH2mDDFfgjVx2:xDLh98jjRe+1WT1aAeIfMzxH2mDDqj
MD5:	34A0AD8A0EB6AC1E86DC8629944448ED
SHA1:	EF54E4C92C123BE341567A0ACC17E4CEE7B9F7A8
SHA-256:	03E93C2DCC19C3A0CDD4E8EFCDE90C97F6A819DFECF1C96495FDC7A0735FAA97
SHA-512:	A38EDE4B46DC9EFA80DFB6E019379809DF78A671F782660CD778427482B0F5987FA80A42C26FB367604BAFCD4FD21ABD1C833DAF2D4AEA3A43877F54D6906E21
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...G..e.........." ...%.J..."......P.....................................................`......................................... l.......m..d...............................,....e...............................d..@............`...............................text...hH.......J.................. ..`.rdata..X....`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_SHA512.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27136
Entropy (8bit):	5.916758045478156
Encrypted:	false
SSDEEP:	384:LFYLXRqEnMgj969GUnLa+1WT1aA7qHofg5JptfIS320DXCElrgjhig:5YLB9Mgj0e+1WT1aAeIfMzx320DXR+j
MD5:	F028511CD5F2F925FD5A979152466CB4
SHA1:	38B8B44089B390E1F3AA952C950BDBE2CB69FBA5
SHA-256:	0FB591416CC9520C6D9C398E1EDF4B7DA412F80114F80628F84E9D4D37A64F69
SHA-512:	97C06A4DCEE7F05268D0A47F88424E28B063807FFBD94DABDCC3BF773AD933A549934916EB7339506624E97829AA5DC13321ADE31D528E8424FFDCF8C8407D4F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...I..e.........." ...%.J..."......P.....................................................`..........................................l.......m..d...............................,...@f...............................e..@............`...............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_ghash_clmul.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	5.0002940201841
Encrypted:	false
SSDEEP:	192:Dz/RF/1nb2mhQtk4axusjfkgZhoYDQmRjcqgQvEty:Dz/d2f64axnTTz5DTgQvEty
MD5:	87C1C89CEB6DF9F62A8F384474D27A4A
SHA1:	B0FC912A8DE5D9C18F603CD25AE3642185FFFBDD
SHA-256:	D2256A5F1D3DC6AE38B73EA2DB87735724D29CB400D00D74CF8D012E30903151
SHA-512:	C7DFB9C8E4F4AA984416BC84E829F0BB6CD87829C86BA259EE2A9BAB7C16B15362DB9EC87BF2ACED44A6BED7B1DE03DC9450665D083205B4CD4780DCF480DA01
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d...K..e.........." ...%............P.....................................................`..........................................8......89..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_ghash_portable.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.025717576776578
Encrypted:	false
SSDEEP:	192:FF/1nb2mhQtks0iiNqdF4mtPjD0HA5APYcqgYvEL2x:R2f6fFA/4GjDucgYvEL2x
MD5:	20702216CDA3F967DF5C71FCE8B9B36F
SHA1:	4D9A814EE2941A175BC41F21283899D05831B488
SHA-256:	3F73F9D59EB028B7F17815A088CEB59A66D6784FEEF42F2DA08DD07DF917DD86
SHA-512:	0802CF05DAD26E6C5575BBECB419AF6C66E48ED878F4E18E9CEC4F78D6358D751D41D1F0CCB86770A46510B993B70D2B320675422A6620CE9843E2E42193DCD8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d...K..e.........." ...%............P.....................................................`..........................................8......h9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_keccak.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.235441330454107
Encrypted:	false
SSDEEP:	192:VTRgffnRaNfBj9xih1LPK73jm6AXiN4rSRIh42gD/gvrjcqgCieT3WQ:VafgNpj9cHW3jqXeBRamD4ZgCieT
MD5:	F065FFB04F6CB9CDB149F3C66BC00216
SHA1:	B2BC4AF8A3E06255BAB15D1A8CF4A577523B03B6
SHA-256:	E263D7E722EC5200E219D6C7D8B7C1B18F923E103C44A0B5485436F7B778B7BD
SHA-512:	93E583B10D0F2BBB1D5539FF4E943A65BC67F6DFC51E5F991481574F58757F4D49A87022E551069F6FC55D690F7B1412CF5DE7DD9BEE27FB826853CE9ACC2B40
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...J..e.........." ...%."... ......P.....................................................`.........................................`I......TJ..d....p.......`..p...............,....C...............................B..@............@...............................text...(!.......".................. ..`.rdata.......@.......&..............@..@.data........P.......6..............@....pdata..p....`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Hash\_poly1305.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.133851517560629
Encrypted:	false
SSDEEP:	192:zZNGXEgvUh43G6coX2SSwmPL4V7wTdDlDaY2cqgWjvE:mVMhuGGF2L4STdDEYWgWjvE
MD5:	213AAEC146F365D950014D7FFF381B06
SHA1:	66FCD49E5B2278CD670367A4AC6704A59AE82B50
SHA-256:	CAF315A9353B2306880A58ECC5A1710BFE3AA35CFEAD7CF0528CAEE4A0629EAD
SHA-512:	0880D7D2B2C936A4B85E6C2A127B3509B76DB4751A3D8A7BB903229CABC8DE7A7F52888D67C886F606E21400DFC51C215D1CF9C976EB558EA70975412840883A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d...K..e.........." ...%..... ......P.....................................................`......................................... 9.......9..d....`.......P..\|............p..,....3...............................1..@............0...............................text...X........................... ..`.rdata..(....0......."..............@..@.data........@.......2..............@....pdata..\|....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Math\_modexp.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35840
Entropy (8bit):	5.927928056434685
Encrypted:	false
SSDEEP:	768:KbEkzS7+k9rMUb8cOe9rs9ja+V/Mhxh56GS:KbEP779rMtcOCs0I/Mjf
MD5:	732938D696EB507AF4C37795A4F9FCEA
SHA1:	FD585EA8779C305ADBE3574BE95CFD06C9BBD01C
SHA-256:	1383269169AB4D2312C52BF944BD5BB80A36D378FD634D7C1B8C3E1FFC0F0A8C
SHA-512:	E4EBC5470F3D05D79B65BC2752A7FF40F5525CD0813BDDECCB1042EE2286B733EE172383186E89361A49CBE0B4B14F8B2CBC0F32E475101385C634120BB36676
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.\|.U./.U./.U./.-a/.U./....U./A-...U./.U./!U./....U./....U./....U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d...S..e.........." ...%.^...0......`.....................................................`..........................................~..\|...\...d...............................,....s...............................q..@............p..(............................text...8].......^.................. ..`.rdata.......p.......b..............@..@.data................v..............@....pdata..............................@..@.rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Protocol\_scrypt.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.799297116284292
Encrypted:	false
SSDEEP:	192:UkCfXASTMeAk4OepIXcADpOX6RcqgO5vE:+JMcPepIXcADq63gO5vE
MD5:	9E7B28D6AB7280BBB386C93EF490A7C1
SHA1:	B088F65F3F6E2B7D07DDBE86C991CCD33535EF09
SHA-256:	F84667B64D9BE1BCC6A91650ABCEE53ADF1634C02A8A4A8A72D8A772432C31E4
SHA-512:	16A6510B403BF7D9ED76A654D8C7E6A0C489B5D856C231D12296C9746AC51CD372CC60CA2B710606613F7BC056A588C54EA24F9C0DA3020BBEA43E43CEEB9CA4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K............RQ.....U.....R............U......U......U..................=..........Rich...................PE..d...P..e.........." ...%............P.....................................................`..........................................8..d...$9..d....`.......P..4............p..,....3...............................1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\PublicKey\_ec_ws.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	754688
Entropy (8bit):	7.6249603206444005
Encrypted:	false
SSDEEP:	12288:l1UrmZ9HoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6hM:XYmzHoxJFf1p34hcrn5Go9yQO6q
MD5:	102898D47B45548E7F7E5ECC1D2D1FAA
SHA1:	DDAE3A3BDD8B83AF42126245F6CB24DC2202BC04
SHA-256:	C9BF3CF5707793C6026BFF68F2681FAAD29E953ED891156163CD0B44A3628A92
SHA-512:	85A42FC08C91AFF50A9FF196D6FE8ABD99124557341B9809B62A639957B166C2A7EFEA0A042BE2D753464DF5908DF4F5FE01A91C239B744CD44A70B79EF81048
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&:..b[.Lb[.Lb[.Lk#sLd[.Lw$.M`[.L)#.Ma[.Lb[.LI[.Lw$.Mn[.Lw$.Mj[.Lw$.Ma[.LX..Mg[.LX..Mc[.LX..Lc[.LX..Mc[.LRichb[.L........................PE..d...R..e.........." ...%.n..........`.....................................................`..........................................p..d...tq..d...............0...............4...@Z...............................Y..@...............(............................text....l.......n.................. ..`.rdata...............r..............@..@.data................j..............@....pdata..0............r..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\PublicKey\_ed25519.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27648
Entropy (8bit):	5.792776923715812
Encrypted:	false
SSDEEP:	384:mBwi/rOF26VZW1n0n/Is42g9qhrnW0mvPauYhz35sWJftjb1Ddsla15gkbQ0e1:cL/g28Ufsxg9GmvPauYLxtX1D8kf
MD5:	717DA232A3A9F0B94AF936B30B59D739
SHA1:	F1B3676E708696585FBCB742B863C5BB913D923F
SHA-256:	B3FD73D54079903C0BE39BA605ED9BB58ECD1D683CCB8821D0C0CC795165B0C6
SHA-512:	7AF46035F9D4A5786ED3CE9F97AC33637C3428EF7183DED2AFD380265FAE6969BB057E3B5D57C990DD083A9DB2A67BEA668D4215E78244D83D7EE7E0A7B40143
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..........)......................................R......R......RE.....R.....Rich...........PE..d...R..e.........." ...%.F...(......P.....................................................`..........................................j..0....k..d...............................,...pc..............................0b..@............`...............................text...xD.......F.................. ..`.rdata.."....`.......J..............@..@.data................\..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..,............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\PublicKey\_ed448.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	6.060435635420756
Encrypted:	false
SSDEEP:	1536:YqctkGACFI5t35q2JbL0UbkrwwOoKXyMH1B7M9rMdccdWxROpq:YqctkGACFI5t35q2JbgrwwOoqLTM9rMq
MD5:	ADF96805C070920EA90D9AB4D1E35807
SHA1:	D8FA8E29D9CDCD678DC03DA527EAF2F0C3BEF21A
SHA-256:	A36B1EDC104136E12EB6F28BD9366D30FFCEC0434684DC139314723E9C549FB7
SHA-512:	FB67C1F86CF46A63DF210061D16418589CD0341A6AA75AB49F24F99AD3CFF874BB02664706B9E2C81B7EF7300AF5BB806C412B4F069D22B72F7D9EBFFF66FE61
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.\|.U./.U./.U./.-a/.U./....U./A-...U./.U./!U./....U./....U./....U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d...S..e.........." ...%.....8......`........................................@............`.........................................`...h.......d.... .......................0..,.......................................@............................................text............................... ..`.rdata..*...........................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..,....0......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\PublicKey\_x25519.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.488514144301916
Encrypted:	false
SSDEEP:	96:IpVVdJvbrqTu6ZdpvY0IluLfcC75JiC4cs89EfqADBhDTAbcX6gn/7EC:uVddiT7pgTctdErDDDTicqgn/7
MD5:	148E1600E9CBAF6702D62D023CAC60BC
SHA1:	4CDD8445408C4165B6E029B9966C71BC45E634A2
SHA-256:	1461AAFD4B9DC270128C89C3EB5358794C77693BB943DC7FC42AA3BB0FC52B16
SHA-512:	53155DA3FD754AF0BC30E2A51F0B579B8A83A772025CE0B4AFD01A31B8A40F46533FDA9CC3D0D32E9480DBBD7DD4A28F9DAAC11A370B0435E5E74666ACF9181C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.h.r.h.r.h.{...p.h.g.i.p.h.9.i.q.h.r.i.V.h.g.m.y.h.g.l.z.h.g.k.q.h.H.`.s.h.H.h.s.h.H...s.h.H.j.s.h.Richr.h.........................PE..d...R..e.........." ...%............P........................................p............`..........................................'..P...0(..P....P.......@...............`..,...P#..............................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Util\_cpuid_c.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.731194408014124
Encrypted:	false
SSDEEP:	96:lJVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EVAElIijKDQGybMZYJWJcX6gbW6s:JVddiT7pgTctEEaEDKDuMCWJcqgbW6
MD5:	1547F8CB860AB6EA92B85D4C1B0209A1
SHA1:	C5AE217DEE073AC3D23C3BF72EE26D4C7515BD88
SHA-256:	1D2F3E627551753E58ED9A85F8D23716F03B51D8FB5394C4108EB1DC90DC9185
SHA-512:	40F0B46EE837E4568089D37709EF543A987411A17BDBAE93D8BA9F87804FB34DCA459A797629F34A5B3789B4D89BD46371AC4F00DDFE5D6B521DEA8DC2375115
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d...N..e.........." ...%............P........................................p............`..........................................'..\|....'..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Cryptodome\Util\_strxor.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.686131723746002
Encrypted:	false
SSDEEP:	96:EiZVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EMz3DmWMoG4BcX6gbW6O:HVddiT7pgTctEEO3DcoHcqgbW6
MD5:	16F42DE194AAEFB2E3CDEE7FA63D2401
SHA1:	BE2AB72A90E0342457A9D13BE5B6B1984875EDEA
SHA-256:	61E23970B6CED494E11DC9DE9CB889C70B7FF7A5AFE5242BA8B29AA3DA7BC60E
SHA-512:	A671EA77BC8CA75AEDB26B73293B51B780E26D6B8046FE1B85AE12BC9CC8F1D2062F74DE79040AD44D259172F99781C7E774FE40768DC0A328BD82A48BF81489
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d...P..e.........." ...%............P........................................p............`.........................................`'..t....'..P....P.......@...............`..,...."...............................!..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Pythonwin\mfc140u.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5653536
Entropy (8bit):	6.729079283804055
Encrypted:	false
SSDEEP:	49152:ULnsrdZXUTQyJa9qgUUjlQNXkW8GCBTDgHsYogTYn3s3pQMqSj+vTCfEs7ATWYls:UoJUEUYS3zUQFLOAkGkzdnEVomFHKnP+
MD5:	CD1D99DF975EE5395174DF834E82B256
SHA1:	F395ADA2EFC6433B34D5FBC5948CB47C7073FA43
SHA-256:	D8CA1DEA862085F0204680230D29BFF4D168FFF675AB4700EEAF63704D995CB3
SHA-512:	397F725E79CA2C68799CF68DFB111A1570427F3D2175D740758C387BDAA508BC9014613E997B92FC96E884F66BB17F453F8AA035731AFD022D9A4E7095616F87
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.cu...&...&...&...'...&...'...&...'...&..&...&G..'...&G..'...&...'...&...&..&G..'...&G..'...&G..'...&G..'...&G..&...&G..'...&Rich...&................PE..d...9.:e.........." .....(-..X)......X,.......................................V.....&~V...`A..........................................:.....h.;.......?......`=..8....V. (...PU.0p..P.5.T...........................`...8............@-.P...(.:......................text....&-......(-................. ..`.rdata.......@-......,-.............@..@.data....6... <.......<.............@....pdata...8...`=..:....<.............@..@.didat..H.....?.......?.............@....rsrc.........?.......?.............@..@.reloc..0p...PU..r....T.............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\Pythonwin\win32ui.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1143296
Entropy (8bit):	6.0410832425584795
Encrypted:	false
SSDEEP:	12288:dk6co2gGIs7ZetrV6LMEsKK+Onc8fUqzFVVppS6yZAXz:dkG2QQetrgsK79qzFHL
MD5:	F0116137D0674482247D056642DC06BF
SHA1:	5BB63FCF5E569D94B61383D1921F758BCC48EF81
SHA-256:	8ECA3ED313003D3F3DEE1B7A5CE90B50E8477EC6E986E590E5ED91C919FC7564
SHA-512:	A8D6420C491766302C615E38DAF5D9B1698E5765125FD256530508E5C0A5675A7BF2F338A22368E0B4DDFA507D8D377507376C477CF9B829E28F3C399203CDE6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.K.K...K...K...3]..K..Y>...K.......K...3...K...>...K...>...K...>...K...K...M...>...K..Y>...K..Y>...K..Y>1..K..Y>...K..Rich.K..........................PE..d......g.........." .........r......4.....................................................`.........................................`....T..hr..h...............................l\......T.......................(.......8................0...........................text............................... ..`.rdata..\|...........................@..@.data...............................@....pdata...............d..............@..@.rsrc...............................@..@.reloc..l\.......^..................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109392
Entropy (8bit):	6.641929675972235
Encrypted:	false
SSDEEP:	1536:GcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/woecbq8qZHg2zuCS+zuecL:GV3iC0h9q4v6XjKwoecbq8qBTq+1cL
MD5:	4585A96CC4EEF6AAFD5E27EA09147DC6
SHA1:	489CFFF1B19ABBEC98FDA26AC8958005E88DD0CB
SHA-256:	A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
SHA-512:	D78260C66331FE3029D2CC1B41A5D002EC651F2E3BBF55076D65839B5E3C6297955AFD4D9AB8951FBDC9F929DBC65EB18B14B59BCE1F2994318564EB4920F286
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d..._#;..........." ...".....`......................................................=.....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49520
Entropy (8bit):	6.65700274508223
Encrypted:	false
SSDEEP:	768:YEgYXUcHJcUJSDW/tfxL1qBSHGm6Ub/I2Hi09z0XQKBcRmuU9zuKl:YvGS8fZ1esJwUpz0X3B+d8zuKl
MD5:	7E668AB8A78BD0118B94978D154C85BC
SHA1:	DBAC42A02A8D50639805174AFD21D45F3C56E3A0
SHA-256:	E4B533A94E02C574780E4B333FCF0889F65ED00D39E32C0FBBDA2116F185873F
SHA-512:	72BB41DB17256141B06E2EAEB8FC65AD4ABDB65E4B5F604C82B9E7E7F60050734137D602E0F853F1A38201515655B6982F2761EE0FA77C531AA58591C95F0032
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............L...L...L...M...L...M...L.FL...L...L...L...M...L...M...L...M...L...M...L..*L...L...M...LRich...L........................PE..d....J.$.........." ...".<...8.......A....................................................`A........................................0m.......m..x....................r..pO......D....c..p...........................pb..@............P..h............................text...0:.......<.................. ..`.rdata..."...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\_asyncio.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65304
Entropy (8bit):	6.186523609819811
Encrypted:	false
SSDEEP:	1536:k2icaMc907zrzE6+gTKnEzhIVOnZC7SyMx6:k2icrc4HE6+gTOEzhIVOn0j
MD5:	CEE78DC603D57CB2117E03B2C0813D84
SHA1:	095C98CA409E364B8755DC9CFD12E6791BF6E2B8
SHA-256:	6306BE660D87FFB2271DD5D783EE32E735A792556E0B5BD672DC0B1C206FDADC
SHA-512:	7258560AA557E3E211BB9580ADD604B5191C769594E17800B2793239DF45225A82CE440A6B9DCF3F2228ED84712912AFFE9BF0B70B16498489832DF2DEE33E7E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B:'T.[I..[I..[I..#...[I..'H..[I..'L..[I..'M..[I..'J..[I..&H..[I.M#H..[I..[H..[I..&D..[I..&I..[I..&...[I..&K..[I.Rich.[I.........PE..d......e.........." ...#.R..........`.....................................................`.............................................P...`...d......................../..........`w..T........................... v..@............p...............................text....P.......R.................. ..`.rdata..~J...p...L...V..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\_brotli.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	820736
Entropy (8bit):	6.056263694016779
Encrypted:	false
SSDEEP:	12288:cY0Uu7wLsglBv4i5DGAqXMAHhlyL82XTw05nmZfR7o:cp0NA1tAmZfR
MD5:	D9FC15CAF72E5D7F9A09B675E309F71D
SHA1:	CD2B2465C04C713BC58D1C5DE5F8A2E13F900234
SHA-256:	1FCD75B03673904D9471EC03C0EF26978D25135A2026020E679174BDEF976DCF
SHA-512:	84F705D52BD3E50AC412C8DE4086C18100EAC33E716954FBCB3519F4225BE1F4E1C3643D5A777C76F7112FAE30CE428E0CE4C05180A52842DACB1F5514460006
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ls...........u......q......u......q......q......q.....Yq...........Hp.....Hp.....Hp.....Hp.....Rich............................PE..d......d.........." ...#.@...H.......F....................................................`.........................................@c..`....c.......................................9..............................P8..@............P...............................text....?.......@.................. ..`.rdata.......P.......D..............@..@.data........p.......`..............@....pdata...............h..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\_bz2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84760
Entropy (8bit):	6.56801864004604
Encrypted:	false
SSDEEP:	1536:7/Uez7qlMjca6uPZLPYMPHn3m8bhztpIVCVC7SyhJDxhy:4ezGC4TM/3RbhhpIVCVCXpy
MD5:	28EDE9CE9484F078AC4E52592A8704C7
SHA1:	BCF8D6FE9F42A68563B6CE964BDC615C119992D0
SHA-256:	403E76FE18515A5EA3227CF5F919AA2F32AC3233853C9FB71627F2251C554D09
SHA-512:	8C372F9F6C4D27F7CA9028C6034C17DEB6E98CFEF690733465C1B44BD212F363625D9C768F8E0BD4C781DDDE34EE4316256203ED18FA709D120F56DF3CCA108B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w.l.3...3...3...:...9......1......0......>......;......7.......0...x...1...3...l.......;.......2.......2.......2...Rich3...................PE..d......e.........." ...#.....^..............................................P.......U....`.........................................p...H............0....... .. ......../...@..........T...........................p...@............................................text............................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\_cffi_backend.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	178176
Entropy (8bit):	6.165902427203749
Encrypted:	false
SSDEEP:	3072:87aw5iwiVHprp0+/aSdXUONX9dAXS7qkSTLkKh23/qZl:87kBVHplaSdRj4LkSTLLhW/q
MD5:	739D352BD982ED3957D376A9237C9248
SHA1:	961CF42F0C1BB9D29D2F1985F68250DE9D83894D
SHA-256:	9AEE90CF7980C8FF694BB3FFE06C71F87EB6A613033F73E3174A732648D39980
SHA-512:	585A5143519ED9B38BB53F912CEA60C87F7CE8BA159A1011CF666F390C2E3CC149E0AC601B008E039A0A78EAF876D7A3F64FFF612F5DE04C822C6E214BC2EFDE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A:.#.[.p.[.p.[.p.#.p.[.p..q.[.p..zp.[.p..q.[.p..q.[.p..q.[.pN#.q.[.pj.q.[.p.[.p.[.pM.q.[.p.#.p.[.pM.q.[.pM.xp.[.pM.q.[.pRich.[.p................PE..d......f.........." ...).....B............................................... ............`.........................................PX..l....X.......................................?...............................=..@............................................text...X........................... ..`.rdata..............................@..@.data....].......0...j..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\_ctypes.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	123672
Entropy (8bit):	6.0601189161591
Encrypted:	false
SSDEEP:	3072:aS7u5LnIxdP3fPHW+QfLIrAYKpemW9IVLPjo:aSw+3FQfLIrIemW3
MD5:	22C4892CAF560A3EE28CF7F210711F9E
SHA1:	B30520FADD882B667ECEF3B4E5C05DC92E08B95A
SHA-256:	E28D4E46E5D10B5FDCF0292F91E8FD767E33473116247CD5D577E4554D7A4C0C
SHA-512:	EDB86B3694FFF0B05318DECF7FC42C20C348C1523892CCE7B89CC9C5AB62925261D4DD72D9F46C9B2BDA5AC1E6B53060B8701318B064A286E84F817813960B19
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.....................).....).....).....).....O...............W.......c.O.....O.....O.o...O.....Rich..........................PE..d......e.........." ...#............p\..............................................jh....`.........................................pP.......P.........................../..............T...........................`...@............................................text............................... ..`.rdata...l.......n..................@..@.data...$=...p...8...^..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\_decimal.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	253720
Entropy (8bit):	6.551075270762715
Encrypted:	false
SSDEEP:	6144:cjz3B48pj9aOtoQdpJOsoTiSi9qWM53pLW1Atp6tQh7:i94uj9afQVrom0bUQh7
MD5:	BAAA9067639597E63B55794A757DDEFF
SHA1:	E8DD6B03EBEF0B0A709E6CCCFF0E9F33C5142304
SHA-256:	6CD52B65E11839F417B212BA5A39F182B0151A711EBC7629DC260B532391DB72
SHA-512:	7995C3B818764AD88DB82148EA0CE560A0BBE9594CA333671B4C5E5C949F5932210EDBD63D4A0E0DC2DAF24737B99318E3D5DAAEE32A5478399A6AA1B9EE3719
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.R.!...!...!...Y=..!..+]...!..+]...!..+]...!..+]...!..M\...!...Y...!...!...!..M\...!..M\...!..M\...!..M\Q..!..M\...!..Rich.!..........PE..d......e.........." ...#.x...<......<...............................................:.....`......................................... T..P...pT..................$'......./......P.......T...........................P...@............................................text....v.......x.................. ..`.rdata..l............\|..............@..@.data....*...p...$...T..............@....pdata..$'.......(...x..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\_hashlib.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65304
Entropy (8bit):	6.2555709687934655
Encrypted:	false
SSDEEP:	1536:jfKlbLgy209/MkZy6n23JZlnvy7OjZophIVOIi7SyMrxZR1:7Khgy+XZla7OjSphIVOIiKR1
MD5:	C888ECC8298C36D498FF8919CEBDB4E6
SHA1:	F904E1832B9D9614FA1B8F23853B3E8C878D649D
SHA-256:	21D59958E2AD1B944C4811A71E88DE08C05C5CA07945192AB93DA5065FAC8926
SHA-512:	7161065608F34D6DE32F2C70B7485C4EE38CD3A41EF68A1BEACEE78E4C5B525D0C1347F148862CF59ABD9A4AD0026C2C2939736F4FC4C93E6393B3B53AA7C377
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(t..F'..F'..F'..'..F'u.G&..F'u.C&..F'u.B&..F'u.E&..F'..G&..F'..G&..F'..G'B.F'..K&..F'..F&..F'...'..F'..D&..F'Rich..F'................PE..d......e.........." ...#.T...~......@@..............................................H.....`............................................P... ............................/......X...P}..T............................\|..@............p..0............................text....S.......T.................. ..`.rdata...O...p...P...X..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\_lzma.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	159000
Entropy (8bit):	6.849076584495919
Encrypted:	false
SSDEEP:	3072:cNltLBrdV/REWa/g7Lznf49mNoiUMApqlpIVZ1SXW:cNltPpREgAYOicMI
MD5:	D386B7C4DCF589E026ABFC7196CF1C4C
SHA1:	C07CE47CE0E69D233C5BDD0BCAC507057D04B2D4
SHA-256:	AD0440CA6998E18F5CC917D088AF3FEA2C0FF0FEBCE2B5E2B6C0F1370F6E87B1
SHA-512:	78D79E2379761B054DF1F9FD8C5B7DE5C16B99AF2D2DE16A3D0AC5CB3F0BD522257579A49E91218B972A273DB4981F046609FDCF2F31CF074724D544DAC7D6C8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T"#.5Lp.5Lp.5Lp.M.p.5Lp.IMq.5Lp.IIq.5Lp.IHq.5Lp.IOq.5LpnHMq.5Lp.MMq.5Lp.5Mp.5LpnHAq.5LpnHLq.5LpnH.p.5LpnHNq.5LpRich.5Lp................PE..d......e.........." ...#.b...........5....................................................`..........................................%..L...\%..x....p.......P.......>.../......8.......T...........................p...@............................................text...na.......b.................. ..`.rdata..............f..............@..@.data........@......................@....pdata.......P......................@..@.rsrc........p.......2..............@..@.reloc..8............<..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\_multiprocessing.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	34584
Entropy (8bit):	6.408696570061904
Encrypted:	false
SSDEEP:	768:n7I6Rwcl5w5zu8TdywGnJjRIVWtTk5YiSyvE+OAMxkEO:7Ikl5kzu8TdywGJjRIVWtTu7Sy18xK
MD5:	622A0E73779C88FC430B69CAF4A39789
SHA1:	F6536137E4E2CD8EC181F09B7DBA5E2E4D03B392
SHA-256:	EDFA9EE414F41448F8FFABB79F3BB8DB5C25E1CFD28FACF88EB5FE2D1E1D7551
SHA-512:	FD8D6DB53B630821845DFE22B09C4335565F848A421AF271797EFE272BAAA1EF887D735D4D5CD7D1258F2DD8F523327A67C071F7D16FC1BF53ACA39BAE41DFF2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-*.yCy.yCy.yCy...y.yCy'.Bx.yCy'.Fx.yCy'.Gx.yCy'.@x.yCyA.Bx.yCy.yBy.yCy..Bx.yCyA.Nx.yCyA.Cx.yCyA..y.yCyA.Ax.yCyRich.yCy................PE..d......e.........." ...#.....<......0...............................................E.....`.........................................0D..`....D..x....p.......`.......X.../...........4..T...........................p3..@............0...............................text............................... ..`.rdata..^....0... ..."..............@..@.data........P.......B..............@....pdata.......`.......H..............@..@.rsrc........p.......L..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\_overlapped.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	50968
Entropy (8bit):	6.434106091606417
Encrypted:	false
SSDEEP:	768:R1FMCcP4W9vqJKRJs2lNXSkCirb1IVXtW5YiSyvw5AMxkEfEk:R1FMaJKWkCg1IVXts7Sy4hxjEk
MD5:	D3BE208DC5388225162B6F88FF1D4386
SHA1:	8EFFDB606B6771D5FDF83145DE0F289E8AD83B69
SHA-256:	CE48969EBEBDC620F4313EBA2A6B6CDA568B663C09D5478FA93826D401ABE674
SHA-512:	9E1C3B37E51616687EECF1F7B945003F6EB4291D8794FEA5545B4A84C636007EB781C18F6436039DF02A902223AC73EFAC9B2E44DDC8594DB62FEB9997475DA3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}!{..O(..O(..O(.d.(..O(W`N)..O(W`J)..O(W`K)..O(W`L)..O(1aN)..O(..N(..O(.dN)..O(.dK)..O(1aB)..O(1aO)..O(1a.(..O(1aM)..O(Rich..O(................PE..d......e.........." ...#.B...X.......................................................N....`.........................................0...X................................/......,....f..T...........................Pe..@............`...............................text...fA.......B.................. ..`.rdata..$5...`...6...F..............@..@.data................\|..............@....pdata..............................@..@.rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\_queue.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32536
Entropy (8bit):	6.447318282610391
Encrypted:	false
SSDEEP:	768:P0+yFg6rXtUmxU99IVQUT5YiSyvyxAMxkE44:c+wRXiWU99IVQUd7Sy+xE4
MD5:	50842CE7FCB1950B672D8A31C892A5D1
SHA1:	D84C69FA2110B860DA71785D1DBE868BD1A8320F
SHA-256:	06C36EC0749D041E6957C3CD7D2D510628B6ABE28CEE8C9728412D9CE196A8A2
SHA-512:	C1E686C112B55AB0A5E639399BD6C1D7ADFE6AEDC847F07C708BEE9F6F2876A1D8F41EDE9D5E5A88AC8A9FBB9F1029A93A83D1126619874E33D09C5A5E45A50D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B:WX.[9..[9..[9..#...[9..'8..[9..'<..[9..'=..[9..':..[9..&8..[9.M#8..[9..[8.L[9..&4..[9..&9..[9..&...[9..&;..[9.Rich.[9.........PE..d......e.........." ...#.....8......................................................(F....`..........................................C..L....C..d....p.......`.......P.../..........p4..T...........................03..@............0..0............................text............................... ..`.rdata..R....0......................@..@.data...x....P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\_socket.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	79640
Entropy (8bit):	6.28999572337647
Encrypted:	false
SSDEEP:	1536:YJlhpHrTT9r3ujE9/s+S+pzpCoiTFVf7p9IVLwg7SyLxU:Y7hpL13ujE9/sT+pz4oYFVTp9IVLwgo
MD5:	2C0EC225E35A0377AC1D0777631BFFE4
SHA1:	7E5D81A06FF8317AF52284AEDCCAC6EBACE5C390
SHA-256:	301C47C4016DAC27811F04F4D7232F24852EF7675E9A4500F0601703ED8F06AF
SHA-512:	AEA9D34D9E93622B01E702DEFD437D397F0E7642BC5F9829754D59860B345BBDE2DD6D7FE21CC1D0397FF0A9DB4ECFE7C38B649D33C5C6F0EAD233CB201A73E0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.+.".E.".E.".E.+...$.E...D. .E...@./.E...A.*.E...F.!.E...D. .E.".D...E.i.D.%.E...H.#.E...E.#.E....#.E...G.#.E.Rich".E.........................PE..d......e.........." ...#.l...........%.......................................P............`.............................................P............0....... ..x......../...@..........T...............................@............................................text...6k.......l.................. ..`.rdata...t.......v...p..............@..@.data...............................@....pdata..x.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\_sqlite3.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120088
Entropy (8bit):	6.2579260754206505
Encrypted:	false
SSDEEP:	3072:vvtiqaiN2oSNMAwwi3CLl147ZvV9NdrRvdO5yFAuaUVMJF8MYRnchIVOQ1B:HJaiN2oSNVDD5FJFr2
MD5:	A70731AE2CA44B7292623AE8B0281549
SHA1:	9E086C0753BB43E2876C33C4872E71808932A744
SHA-256:	55344349F9199AEDAD1737A0311CBE2C3A4BF9494B76982520BACAD90F463C1B
SHA-512:	8334104DF9837D32946965290BBC46BA0A0ADA17BD2D03FC63380979F5FC86B26BE245636718B4304DFD0D85A5B3F7170614F148E5C965CC5ADF59D34465F7F1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`.g...g...g.......g.......g.....g.......g.......g.......g..q....g.......g...g...f..q....g..q....g..q..g..q....g..Rich.g..........................PE..d......e.........." ...#............................................................ G....`..........................................Z..P....Z.........................../..............T...........................p...@............................................text............................... ..`.rdata..l...........................@..@.data................n..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\_ssl.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	176920
Entropy (8bit):	5.955624236034285
Encrypted:	false
SSDEEP:	3072:pjIQQSFBfL+SiSVWuXa6XzfBJ9d41Olh59YL48PMrN/WgAlNcLpIVC72a:CSFNL3LJa6Xzj4BLcLP
MD5:	66E78727C2DA15FD2AAC56571CD57147
SHA1:	E93C9A5E61DB000DEE0D921F55F8507539D2DF3D
SHA-256:	4727B60962EFACFD742DCA21341A884160CF9FCF499B9AFA3D9FDBCC93FB75D0
SHA-512:	A6881F9F5827ACEB51957AAED4C53B69FCF836F60B9FC66EEB2ED84AED08437A9F0B35EA038D4B1E3C539E350D9D343F8A6782B017B10A2A5157649ABBCA9F9A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U.+.4.x.4.x.4.x.L)x.4.x.H.y.4.x.H.y.4.x.H.y.4.x.H.y.4.xiI.y.4.x.4.x>5.x.L.y.4.xiI.y.4.xiI.y.4.xiIEx.4.xiI.y.4.xRich.4.x................PE..d......e.........." ...#............l+...............................................!....`.........................................0...d................................/......\|...P...T...............................@............................................text............................... ..`.rdata...".......$..................@..@.data...............................@....pdata...............\..............@..@.rsrc................h..............@..@.reloc..\|............r..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\_uuid.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25368
Entropy (8bit):	6.628339287223099
Encrypted:	false
SSDEEP:	384:lCfwFpEWjfivQpIVZwobHQIYiSy1pCQFjzuAM+o/8E9VF0NySoJ:4qpEI4QpIVZwg5YiSyvgAMxkE7
MD5:	3A09B6DB7E4D6FF0F74C292649E4BA96
SHA1:	1A515F98946A4DCCC50579CBCEDF959017F3A23C
SHA-256:	FC09E40E569F472DD4BA2EA93DA48220A6B0387EC62BB0F41F13EF8FAB215413
SHA-512:	8D5EA9F7EEE3D75F0673CC7821A94C50F753299128F3D623E7A9C262788C91C267827C859C5D46314A42310C27699AF5CDFC6F7821DD38BF03C0B35873D9730F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<p.R#.R#.R#...#.R#i.S".R#i.W".R#i.V".R#i.Q".R#..S".R#..S".R#.S#..R#..Z".R#..R".R#...#.R#..P".R#Rich.R#........................PE..d......e.........." ...#.....&...... ........................................p............`.........................................`)..L....)..x....P.......@.......4.../...`..@...`#..T........................... "..@............ ..8............................text...h........................... ..`.rdata....... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..@....`.......2..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\aiohttp\_helpers.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	51712
Entropy (8bit):	5.719745861304906
Encrypted:	false
SSDEEP:	768:V1yQoUZM+e7B244LM1/sGFNUgOclIgD0iEXSmHN9D7KSDq/dFGlaKb+DzH:VloBBN4LM1/9FeiIyEXX9XKSEFAb+n
MD5:	ADD987AEC610B3D921DECBEF60E0DE8D
SHA1:	2763D5D3ACF58BC751323310F1F46ABCBC093C82
SHA-256:	AD5F49D13DDEA57319E9D404E8947B5207239D07D94332DFE601331A70A8D5EB
SHA-512:	D460AEA5256DE208CC0D13D59D05E809B3F5FD88C34731C776498113DA45B6FD732F00CC1C6E02B2F43992CBCD04598E48AEE140CA1C1E7FFDD3E8FF18238020
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[.k...k...k....?..k......k.......k......k......k......k......k...k..Rk......k......k....S..k......k..Rich.k..........................PE..d..."B.g.........." ...).z...T.......\|....................................... ............`.............................................`.......d...................................................................P...@............................................text...8y.......z.................. ..`.rdata...6.......6...~..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\aiohttp\_http_parser.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	266240
Entropy (8bit):	6.171612984848152
Encrypted:	false
SSDEEP:	3072:BVuE3CWclftO4A1tgB9eIGnbQN4NFguNli5XURla2yBi2/1VDZoUyGRqpu:DV31clftOft+uNlQ/5isnKp
MD5:	57ABDBFC3F2020177909E20984032DD5
SHA1:	B814A1E284BF330F3387AFE0F1DC2CCF2B9B8016
SHA-256:	3A143C933FADD1A1A60A65BDD37858EA11D47A074F9A7934933B13C01B7C3B8B
SHA-512:	5CA9B1903E8AA7EA244A6807AC8107AD651AA6B16C444D420E9200D689D2A9FA9DAAC25BF937DEB9214CC0DD550E6F9231B4E8551AA0DC38D265A87B7DAE582E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B,6..MXY.MXY.MXY.5.Y.MXY..YX.MXYM5YX.MXYi.YX.MXY.MYY.MXY..[X.MXY..\X.MXY..]X.MXYN.PX.MXYN.XX.MXYN.Y.MXYN.ZX.MXYRich.MXY................PE..d..."B.g.........." ...).0...........1....................................................`.........................................p.......D...x....`.......@..0............p..\......................................@............@...............................text...X........0.................. ..`.rdata.."....@.......4..............@..@.data....F..........................@....pdata..0....@......................@..@.rsrc........`......................@..@.reloc..\....p......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\aiohttp\_http_writer.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	5.734133802541209
Encrypted:	false
SSDEEP:	768:RuIpuGiOh9LHHQ2leaWYk/glLh2u+yBlhlr9iLr2F+HGlj55D2n8Ic:RuTGiK8a8Yl9z+yf9iH2F+H65B2n8Ic
MD5:	C5036E8B04879173F5E530F7B11C65BA
SHA1:	1F17B7551020575943B92058CC493B0C1A35D32C
SHA-256:	8D12BDD47DBABC836930A663A5149C4F2D2B9AE082F954EE26FE66D501FEBFE9
SHA-512:	07588B3E311ED1AEBD5BE0D96388FE180FED4629FE08EBCA4E86802B8AF3DAED603EABDB5AA427C2E5E80E384C5B3D859B0AC4438BD2A278E949DE6CE2FCE44B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N..T.l...l...l....?..l......l..A....l......l......l......l..e...l...l...l..B...l..B...l..B.S..l..B...l..Rich.l..................PE..d...#B.g.........." ...).v...........x.......................................P............`.........................................p...h......d....0....... ..$............@......................................@...@...............X............................text...(u.......v.................. ..`.rdata...0.......2...z..............@..@.data...(N..........................@....pdata..$.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\aiohttp\_websocket.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	5.595737924373698
Encrypted:	false
SSDEEP:	768:NTQTXEebmg5xAVNTTYMlam/Je5JAZ6cXu9lEQ/Yv8:hSP5KVV0MgF8G3/Yv
MD5:	EC9E2D8CC7966CACAC49DA5409BB72F7
SHA1:	EB0F500F21B7134EBC833CED27DF1450DB9EA241
SHA-256:	23391519E1BF052D4832ADA81BCA088C2B8BCE582F0EB3535109B524A2891E10
SHA-512:	FAA4A03CF4B0E7EB18412594F5199E57624099D4F53789BCD87CF2572F8F94636FADB8E99E3DEABBA57B2AB91427CDC7E239CF9D137D4EE3B31F6423E166F65B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........[.k...k...k....?..k......k.......k......k......k......k......k...k..rk......k......k....S..k......k..Rich.k..........................PE..d....B.g.........." ...).N...D...... P....................................................`..........................................\|..d...t\|..d...............4...................@s...............................r..@............`...............................text...xL.......N.................. ..`.rdata..:+...`...,...R..............@..@.data................~..............@....pdata..4...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22112
Entropy (8bit):	4.744270711412692
Encrypted:	false
SSDEEP:	192:zFOhcWqhWpvWEXCVWQ4iWwklRxwVIX01k9z3AROVaz4ILS:zFlWqhWpk6R9zeU0J2
MD5:	E8B9D74BFD1F6D1CC1D99B24F44DA796
SHA1:	A312CFC6A7ED7BF1B786E5B3FD842A7EEB683452
SHA-256:	B1B3FD40AB437A43C8DB4994CCFFC7F88000CC8BB6E34A2BCBFF8E2464930C59
SHA-512:	B74D9B12B69DB81A96FC5A001FD88C1E62EE8299BA435E242C5CB2CE446740ED3D8A623E1924C2BC07BFD9AEF7B2577C9EC8264E53E5BE625F4379119BAFCC27
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....dZ..........." .........0...............................................@............`A........................................p...,............0...............0..`&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.602255667966723
Encrypted:	false
SSDEEP:	192:NWqhWEWEXCVWQ4cRWvBQrVXC4dlgX01k9z3AUj7W6SxtR:NWqhWPlZVXC4deR9zVj7QR
MD5:	CFE0C1DFDE224EA5FED9BD5FF778A6E0
SHA1:	5150E7EDD1293E29D2E4D6BB68067374B8A07CE6
SHA-256:	0D0F80CBF476AF5B1C9FD3775E086ED0DFDB510CD0CC208EC1CCB04572396E3E
SHA-512:	B0E02E1F19CFA7DE3693D4D63E404BDB9D15527AC85A6D492DB1128BB695BFFD11BEC33D32F317A7615CB9A820CD14F9F8B182469D65AF2430FFCDBAD4BD7000
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....N7.........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.606873381830854
Encrypted:	false
SSDEEP:	192:T0WqhWnWEXCVWQ4mW5ocADB6ZX01k9z3AkprGvV:T0WqhW8VcTR9zJpr4V
MD5:	33BBECE432F8DA57F17BF2E396EBAA58
SHA1:	890DF2DDDFDF3EECCC698312D32407F3E2EC7EB1
SHA-256:	7CF0944901F7F7E0D0B9AD62753FC2FE380461B1CCE8CDC7E9C9867C980E3B0E
SHA-512:	619B684E83546D97FC1D1BC7181AD09C083E880629726EE3AF138A9E4791A6DCF675A8DF65DC20EDBE6465B5F4EAC92A64265DF37E53A5F34F6BE93A5C2A7AE5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....IL..........." .........0...............................................@...........`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.65169290018864
Encrypted:	false
SSDEEP:	192:qzmxD3T4qLWqhW2WJWadJCsVWQ4mW/xNVAv+cQ0GX01k9z3ARoanSwT44:qzQVWqhWTCsiNbZR9zQoUSwTJ
MD5:	EB0978A9213E7F6FDD63B2967F02D999
SHA1:	9833F4134F7AC4766991C918AECE900ACFBF969F
SHA-256:	AB25A1FE836FC68BCB199F1FE565C27D26AF0C390A38DA158E0D8815EFE1103E
SHA-512:	6F268148F959693EE213DB7D3DB136B8E3AD1F80267D8CBD7D5429C021ADACCC9C14424C09D527E181B9C9B5EA41765AFF568B9630E4EB83BFC532E56DFE5B63
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..H...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26216
Entropy (8bit):	4.866487428274293
Encrypted:	false
SSDEEP:	192:gaNYPvVX8rFTsCWqhWVWEXCVWQ4mWPJlBLrp0KBQfX01k9z3ALkBw:WPvVX8WqhWiyBRxB+R9z2kBw
MD5:	EFAD0EE0136532E8E8402770A64C71F9
SHA1:	CDA3774FE9781400792D8605869F4E6B08153E55
SHA-256:	3D2C55902385381869DB850B526261DDEB4628B83E690A32B67D2E0936B2C6ED
SHA-512:	69D25EDF0F4C8AC5D77CB5815DFB53EAC7F403DC8D11BFE336A545C19A19FFDE1031FA59019507D119E4570DA0D79B95351EAC697F46024B4E558A0FF6349852
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....(............" .........@...............................................P......z.....`A........................................p................@...............@..h&..............p............................................................................rdata..\|........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.619913450163593
Encrypted:	false
SSDEEP:	192:iDGaWqhWhWJWadJCsVWQ4mWd9afKUSIX01k9z3AEXzAU9:i6aWqhWACs92IR9z5EU9
MD5:	1C58526D681EFE507DEB8F1935C75487
SHA1:	0E6D328FAF3563F2AAE029BC5F2272FB7A742672
SHA-256:	EF13DCE8F71173315DFC64AB839B033AB19A968EE15230E9D4D2C9D558EFEEE2
SHA-512:	8EDB9A0022F417648E2ECE9E22C96E2727976332025C3E7D8F15BCF6D7D97E680D1BF008EB28E2E0BD57787DCBB71D38B2DEB995B8EDC35FA6852AB1D593F3D1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....RS.........." .........0...............................................@......;.....`A........................................p...L............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18696
Entropy (8bit):	7.054510010549814
Encrypted:	false
SSDEEP:	384:eVrW1hWbvm0GftpBjzH4m3S9gTlUK3dsl:eVuAViaB/6sl
MD5:	BFFFA7117FD9B1622C66D949BAC3F1D7
SHA1:	402B7B8F8DCFD321B1D12FC85A1EE5137A5569B2
SHA-256:	1EA267A2E6284F17DD548C6F2285E19F7EDB15D6E737A55391140CE5CB95225E
SHA-512:	B319CC7B436B1BE165CDF6FFCAB8A87FE29DE78F7E0B14C8F562BE160481FB5483289BD5956FDC1D8660DA7A3F86D8EEDE35C6CC2B7C3D4C852DECF4B2DCDB7F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...4.F>.........." .........................................................0............`.........................................`................ ...................=..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.625331165566263
Encrypted:	false
SSDEEP:	192:qzWqhWxWJWadJCsVWQ4mW8RJLNVAv+cQ0GX01k9z3ARo8ef3uBJu:qzWqhWwCsjNbZR9zQoEzu
MD5:	E89CDCD4D95CDA04E4ABBA8193A5B492
SHA1:	5C0AEE81F32D7F9EC9F0650239EE58880C9B0337
SHA-256:	1A489E0606484BD71A0D9CB37A1DC6CA8437777B3D67BFC8C0075D0CC59E6238
SHA-512:	55D01E68C8C899E99A3C62C2C36D6BCB1A66FF6ECD2636D2D0157409A1F53A84CE5D6F0C703D5ED47F8E9E2D1C9D2D87CC52585EE624A23D92183062C999B97E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....Hb..........." .........0...............................................@............`A........................................p...`............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.737397647066978
Encrypted:	false
SSDEEP:	192:OdxlZWqhWcWJWadJCsVWQ4mWlhtFyttuX01k9z3A2oD:OdxlZWqhWpCsctkSR9zfoD
MD5:	ACCC640D1B06FB8552FE02F823126FF5
SHA1:	82CCC763D62660BFA8B8A09E566120D469F6AB67
SHA-256:	332BA469AE84AA72EC8CCE2B33781DB1AB81A42ECE5863F7A3CB5A990059594F
SHA-512:	6382302FB7158FC9F2BE790811E5C459C5C441F8CAEE63DF1E09B203B8077A27E023C4C01957B252AC8AC288F8310BCEE5B4DCC1F7FC691458B90CDFAA36DCBE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....B.l.........." .........0...............................................@.......A....`A........................................p................0...............0..x&..............p............................................................................rdata..\|...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.6569647133331316
Encrypted:	false
SSDEEP:	192:dwWqhWWWEXCVWQ4mWLnySfKUSIX01k9z3AEXz5SLaDa3:iWqhWJhY2IR9z5YLt3
MD5:	C6024CC04201312F7688A021D25B056D
SHA1:	48A1D01AE8BC90F889FB5F09C0D2A0602EE4B0FD
SHA-256:	8751D30DF554AF08EF42D2FAA0A71ABCF8C7D17CE9E9FF2EA68A4662603EC500
SHA-512:	D86C773416B332945ACBB95CBE90E16730EF8E16B7F3CCD459D7131485760C2F07E95951AEB47C1CF29DE76AFFEB1C21BDF6D8260845E32205FE8411ED5EFA47
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...}.o..........." .........0...............................................@......v.....`A........................................p................0...............0..h&..............p............................................................................rdata..L...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.882042129450427
Encrypted:	false
SSDEEP:	192:9TvuBL3BBLAWqhWUWEXCVWQ4iWgdCLVx6RMySX01k9z3AzaXQ+BB:9TvuBL3BaWqhW/WSMR9zqaP
MD5:	1F2A00E72BC8FA2BD887BDB651ED6DE5
SHA1:	04D92E41CE002251CC09C297CF2B38C4263709EA
SHA-256:	9C8A08A7D40B6F697A21054770F1AFA9FFB197F90EF1EEE77C67751DF28B7142
SHA-512:	8CF72DF019F9FC9CD22FF77C37A563652BECEE0708FF5C6F1DA87317F41037909E64DCBDCC43E890C5777E6BCFA4035A27AFC1AEEB0F5DEBA878E3E9AEF7B02A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....g..........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.355894399765837
Encrypted:	false
SSDEEP:	384:0naOMw3zdp3bwjGzue9/0jCRrndbnWqhW5lFydVXC4deR9zVj7xR:FOMwBprwjGzue9/0jCRrndbtGydVXC4O
MD5:	724223109E49CB01D61D63A8BE926B8F
SHA1:	072A4D01E01DBBAB7281D9BD3ADD76F9A3C8B23B
SHA-256:	4E975F618DF01A492AE433DFF0DD713774D47568E44C377CEEF9E5B34AAD1210
SHA-512:	19B0065B894DC66C30A602C9464F118E7F84D83010E74457D48E93AACA4422812B093B15247B24D5C398B42EF0319108700543D13F156067B169CCFB4D7B6B7C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...0.&3.........." .........0...............................................@......L0....`A........................................p................0...............0..h&..............p............................................................................rdata..D...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.771309314175772
Encrypted:	false
SSDEEP:	192:L0WqhWTWEXCVWQ4cRWdmjKDUX01k9z3AQyMX/7kn:L0WqhWol1pR9zzDY
MD5:	3C38AAC78B7CE7F94F4916372800E242
SHA1:	C793186BCF8FDB55A1B74568102B4E073F6971D6
SHA-256:	3F81A149BA3862776AF307D5C7FEEF978F258196F0A1BF909DA2D3F440FF954D
SHA-512:	C2746AA4342C6AFFFBD174819440E1BBF4371A7FED29738801C75B49E2F4F94FD6D013E002BAD2AADAFBC477171B8332C8C5579D624684EF1AFBFDE9384B8588
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...`.@f.........." .........0...............................................@......K.....`A........................................p...l............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.7115212149950185
Encrypted:	false
SSDEEP:	192:bWqhWUxWJWadJCsVWQ4mW5iFyttuX01k9z3A2EC:bWqhWUwCs8SR9zfEC
MD5:	321A3CA50E80795018D55A19BF799197
SHA1:	DF2D3C95FB4CBB298D255D342F204121D9D7EF7F
SHA-256:	5476DB3A4FECF532F96D48F9802C966FDEF98EC8D89978A79540CB4DB352C15F
SHA-512:	3EC20E1AC39A98CB5F726D8390C2EE3CD4CD0BF118FDDA7271F7604A4946D78778713B675D19DD3E1EC1D6D4D097ABE9CD6D0F76B3A7DFF53CE8D6DBC146870A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...j............" .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.893761152454321
Encrypted:	false
SSDEEP:	192:dEFP2WqhWVWEXCVWQ4mW68vx6RMySX01k9z3AzapOP:eF+WqhWi6gMR9zqa0
MD5:	0462E22F779295446CD0B63E61142CA5
SHA1:	616A325CD5B0971821571B880907CE1B181126AE
SHA-256:	0B6B598EC28A9E3D646F2BB37E1A57A3DDA069A55FBA86333727719585B1886E
SHA-512:	07B34DCA6B3078F7D1E8EDE5C639F697C71210DCF9F05212FD16EB181AB4AC62286BC4A7CE0D84832C17F5916D0224D1E8AAB210CEEFF811FC6724C8845A74FE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...L.Y..........." .........0...............................................@............`A........................................p...H............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	5.231196901820079
Encrypted:	false
SSDEEP:	192:/Mck1JzX9cKSI0WqhWsWJWadJCsVWQ4mWClLeyttuX01k9z3A2XCJq:Uck1JzNcKSI0WqhWZCsvfSR9zfyk
MD5:	C3632083B312C184CBDD96551FED5519
SHA1:	A93E8E0AF42A144009727D2DECB337F963A9312E
SHA-256:	BE8D78978D81555554786E08CE474F6AF1DE96FCB7FA2F1CE4052BC80C6B2125
SHA-512:	8807C2444A044A3C02EF98CF56013285F07C4A1F7014200A21E20FCB995178BA835C30AC3889311E66BC61641D6226B1FF96331B019C83B6FCC7C87870CCE8C4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....O.j.........." .........0...............................................@......9&....`A........................................p................0...............0..x&..............p............................................................................rdata..d...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.799245167892134
Encrypted:	false
SSDEEP:	192:R0DfIeUWqhWLWJWadJCsVWQ4mWFVyttuX01k9z3A2YHmp:R0DfIeUWqhWiCsLSR9zfYHmp
MD5:	517EB9E2CB671AE49F99173D7F7CE43F
SHA1:	4CCF38FED56166DDBF0B7EFB4F5314C1F7D3B7AB
SHA-256:	57CC66BF0909C430364D35D92B64EB8B6A15DC201765403725FE323F39E8AC54
SHA-512:	492BE2445B10F6BFE6C561C1FC6F5D1AF6D1365B7449BC57A8F073B44AE49C88E66841F5C258B041547FCD33CBDCB4EB9DD3E24F0924DB32720E51651E9286BE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....#..........." .........0...............................................@.......,....`A........................................p................0...............0..x&..............p............................................................................rdata..\...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.587063911311469
Encrypted:	false
SSDEEP:	192:fWqhWeWJWadJCsVWQ4mWMs7DENNVAv+cQ0GX01k9z3ARoIGA/:fWqhWbCs8oNbZR9zQoxS
MD5:	F3FF2D544F5CD9E66BFB8D170B661673
SHA1:	9E18107CFCD89F1BBB7FDAF65234C1DC8E614ADD
SHA-256:	E1C5D8984A674925FA4AFBFE58228BE5323FE5123ABCD17EC4160295875A625F
SHA-512:	184B09C77D079127580EF80EB34BDED0F5E874CEFBE1C5F851D86861E38967B995D859E8491FCC87508930DC06C6BBF02B649B3B489A1B138C51A7D4B4E7AAAD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......e.........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..P...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.754374422741657
Encrypted:	false
SSDEEP:	192:CGeVPWqhWUWJWadJCsVWQ4mWUhSqyttuX01k9z3A2lqn7cq:CGeVPWqhWBCsvoSR9zflBq
MD5:	A0C2DBE0F5E18D1ADD0D1BA22580893B
SHA1:	29624DF37151905467A223486500ED75617A1DFD
SHA-256:	3C29730DF2B28985A30D9C82092A1FAA0CEB7FFC1BD857D1EF6324CF5524802F
SHA-512:	3E627F111196009380D1687E024E6FFB1C0DCF4DCB27F8940F17FEC7EFDD8152FF365B43CB7FDB31DE300955D6C15E40A2C8FB6650A91706D7EA1C5D89319B12
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......Z.........." .........0...............................................@............`A........................................p...<............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.664553499673792
Encrypted:	false
SSDEEP:	192:mZyMvr5WqhWAWJWadJCsVWQ4mWWqpNVAv+cQ0GX01k9z3ARo+GZ:mZyMvlWqhWNCsUpNbZR9zQo+GZ
MD5:	2666581584BA60D48716420A6080ABDA
SHA1:	C103F0EA32EBBC50F4C494BCE7595F2B721CB5AD
SHA-256:	27E9D3E7C8756E4512932D674A738BF4C2969F834D65B2B79C342A22F662F328
SHA-512:	BEFED15F11A0550D2859094CC15526B791DADEA12C2E7CEB35916983FB7A100D89D638FB1704975464302FAE1E1A37F36E01E4BEF5BC4924AB8F3FD41E60BD0C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....I..........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..l...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	5.146069394118203
Encrypted:	false
SSDEEP:	384:vUwidv3V0dfpkXc0vVaCsWqhWjCsa2IR9z5Bk5l:sHdv3VqpkXc0vVaP+U9zzk5l
MD5:	225D9F80F669CE452CA35E47AF94893F
SHA1:	37BD0FFC8E820247BD4DB1C36C3B9F9F686BBD50
SHA-256:	61C0EBE60CE6EBABCB927DDFF837A9BF17E14CD4B4C762AB709E630576EC7232
SHA-512:	2F71A3471A9868F4D026C01E4258AFF7192872590F5E5C66AABD3C088644D28629BA8835F3A4A23825631004B1AFD440EFE7161BB9FC7D7C69E0EE204813CA7B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....x.........." .........0...............................................@.......J....`A........................................p...X............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.834520503429805
Encrypted:	false
SSDEEP:	192:etZ3xWqhWqWJWadJCsVWQ4mWfH/fKUSIX01k9z3AEXz40OY:etZ3xWqhWHCsMH2IR9z5OY
MD5:	1281E9D1750431D2FE3B480A8175D45C
SHA1:	BC982D1C750B88DCB4410739E057A86FF02D07EF
SHA-256:	433BD8DDC4F79AEE65CA94A54286D75E7D92B019853A883E51C2B938D2469BAA
SHA-512:	A954E6CE76F1375A8BEAC51D751B575BBC0B0B8BA6AA793402B26404E45718165199C2C00CCBCBA3783C16BDD96F0B2C17ADDCC619C39C8031BECEBEF428CE77
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@.......w....`A........................................p...x............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.916367637528538
Encrypted:	false
SSDEEP:	192:qaIMFSYWqhWzWJWadJCsVWQ4mW14LyttuX01k9z3A2ClV:qdYWqhWqCsISR9zfCT
MD5:	FD46C3F6361E79B8616F56B22D935A53
SHA1:	107F488AD966633579D8EC5EB1919541F07532CE
SHA-256:	0DC92E8830BC84337DCAE19EF03A84EF5279CF7D4FDC2442C1BC25320369F9DF
SHA-512:	3360B2E2A25D545CCD969F305C4668C6CDA443BBDBD8A8356FFE9FBC2F70D90CF4540F2F28C9ED3EEA6C9074F94E69746E7705E6254827E6A4F158A75D81065B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...~.l-.........." .........0...............................................@............`A........................................p................0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.829681745003914
Encrypted:	false
SSDEEP:	192:HNpWqhW5WJWadJCsVWQ4mWbZyttuX01k9z3A2qkFU:HXWqhW4Cs1SR9zf9U
MD5:	D12403EE11359259BA2B0706E5E5111C
SHA1:	03CC7827A30FD1DEE38665C0CC993B4B533AC138
SHA-256:	F60E1751A6AC41F08E46480BF8E6521B41E2E427803996B32BDC5E78E9560781
SHA-512:	9004F4E59835AF57F02E8D9625814DB56F0E4A98467041DA6F1367EF32366AD96E0338D48FFF7CC65839A24148E2D9989883BCDDC329D9F4D27CAE3F843117D0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...>.os.........." .........0...............................................@............`A........................................p...H............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.612408827336625
Encrypted:	false
SSDEEP:	192:CWqhW+WJWadJCsVWQ4mWprgfKUSIX01k9z3AEXzh:CWqhW7Cs12IR9z5F
MD5:	0F129611A4F1E7752F3671C9AA6EA736
SHA1:	40C07A94045B17DAE8A02C1D2B49301FAD231152
SHA-256:	2E1F090ABA941B9D2D503E4CD735C958DF7BB68F1E9BDC3F47692E1571AAAC2F
SHA-512:	6ABC0F4878BB302713755A188F662C6FE162EA6267E5E1C497C9BA9FDDBDAEA4DB050E322CB1C77D6638ECF1DAD940B9EBC92C43ACAA594040EE58D313CBCFAE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....+..........." .........0...............................................@............`A........................................p...<............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.918215004381039
Encrypted:	false
SSDEEP:	192:OvMWqhWkWJWadJCsVWQ4mWoz/HyttuX01k9z3A21O:JWqhWxCs/SSR9zf1O
MD5:	D4FBA5A92D68916EC17104E09D1D9D12
SHA1:	247DBC625B72FFB0BF546B17FB4DE10CAD38D495
SHA-256:	93619259328A264287AEE7C5B88F7F0EE32425D7323CE5DC5A2EF4FE3BED90D5
SHA-512:	D5A535F881C09F37E0ADF3B58D41E123F527D081A1EBECD9A927664582AE268341771728DC967C30908E502B49F6F853EEAEBB56580B947A629EDC6BCE2340D8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...Aj............" .........0...............................................@......UJ....`A.........................................................0...............0..x&..............p............................................................................rdata..p...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26216
Entropy (8bit):	4.882777558752248
Encrypted:	false
SSDEEP:	192:I9cy5WqhWKWEXCVWQ4mW1pbm6yttuX01k9z3A2jyM:Ry5WqhWdcbmLSR9zfjj
MD5:	EDF71C5C232F5F6EF3849450F2100B54
SHA1:	ED46DA7D59811B566DD438FA1D09C20F5DC493CE
SHA-256:	B987AB40CDD950EBE7A9A9176B80B8FFFC005CCD370BB1CBBCAD078C1A506BDC
SHA-512:	481A3C8DC5BEF793EE78CE85EC0F193E3E9F6CD57868B813965B312BD0FADEB5F4419707CD3004FBDB407652101D52E061EF84317E8BD458979443E9F8E4079A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...U.gJ.........." .........@...............................................P............`A.........................................................@...............@..h&..............p............................................................................rdata..n........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.738587310329139
Encrypted:	false
SSDEEP:	192:TWqhWXWEXCVWQ4mWPXTNyttuX01k9z3A2dGxr:TWqhWMKASR9zfYxr
MD5:	F9235935DD3BA2AA66D3AA3412ACCFBF
SHA1:	281E548B526411BCB3813EB98462F48FFAF4B3EB
SHA-256:	2F6BD6C235E044755D5707BD560A6AFC0BA712437530F76D11079D67C0CF3200
SHA-512:	AD0C0A7891FB8328F6F0CF1DDC97523A317D727C15D15498AFA53C07610210D2610DB4BC9BD25958D47ADC1AF829AD4D7CF8AABCAB3625C783177CCDB7714246
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...9.4o.........." .........0...............................................@......h*....`A............................................"............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.202163846121633
Encrypted:	false
SSDEEP:	192:2pUEpnWlC0i5CBWqhWXLeWEXCVWQ4iW+/x6RMySX01k9z3Aza8Az629:2ptnWm5CBWqhWtWMR9zqaH629
MD5:	5107487B726BDCC7B9F7E4C2FF7F907C
SHA1:	EBC46221D3C81A409FAB9815C4215AD5DA62449C
SHA-256:	94A86E28E829276974E01F8A15787FDE6ED699C8B9DC26F16A51765C86C3EADE
SHA-512:	A0009B80AD6A928580F2B476C1BDF4352B0611BB3A180418F2A42CFA7A03B9F0575ED75EC855D30B26E0CCA96A6DA8AFFB54862B6B9AFF33710D2F3129283FAA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......M4....`A.........................................................0...............0..h&..............p............................................................................rdata..0...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.866983142029453
Encrypted:	false
SSDEEP:	192:0vh8Y17aFBRsWqhW9AWEXCVWQ4mWCB4Lrp0KBQfX01k9z3ALkg5Z7:SL5WqhW9boRxB+R9z2kM7
MD5:	D5D77669BD8D382EC474BE0608AFD03F
SHA1:	1558F5A0F5FACC79D3957FF1E72A608766E11A64
SHA-256:	8DD9218998B4C4C9E8D8B0F8B9611D49419B3C80DAA2F437CBF15BCFD4C0B3B8
SHA-512:	8DEFA71772105FD9128A669F6FF19B6FE47745A0305BEB9A8CADB672ED087077F7538CD56E39329F7DAA37797A96469EAE7CD5E4CCA57C9A183B35BDC44182F3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...."]..........." .........0...............................................@............`A.........................................................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.828044267819929
Encrypted:	false
SSDEEP:	192:dUnWqhWRWJWadJCsVWQ4mW+2PyttuX01k9z3A23y:cWqhWQCsHSR9zf3y
MD5:	650435E39D38160ABC3973514D6C6640
SHA1:	9A5591C29E4D91EAA0F12AD603AF05BB49708A2D
SHA-256:	551A34C400522957063A2D71FA5ABA1CD78CC4F61F0ACE1CD42CC72118C500C0
SHA-512:	7B4A8F86D583562956593D27B7ECB695CB24AB7192A94361F994FADBA7A488375217755E7ED5071DE1D0960F60F255AA305E9DD477C38B7BB70AC545082C9D5E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...6..q.........." .........0...............................................@.......-....`A............................................e............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30328
Entropy (8bit):	5.14173409150951
Encrypted:	false
SSDEEP:	384:r7yaFM4Oe59Ckb1hgmLVWqhW2CsWNbZR9zQoekS:/FMq59Bb1jnoFT9zGp
MD5:	B8F0210C47847FC6EC9FBE2A1AD4DEBB
SHA1:	E99D833AE730BE1FEDC826BF1569C26F30DA0D17
SHA-256:	1C4A70A73096B64B536BE8132ED402BCFB182C01B8A451BFF452EFE36DDF76E7
SHA-512:	992D790E18AC7AE33958F53D458D15BFF522A3C11A6BD7EE2F784AC16399DE8B9F0A7EE896D9F2C96D1E2C8829B2F35FF11FC5D8D1B14C77E22D859A1387797C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................" .........P...............................................`............`A.............................................%...........P...............P..x&..............p............................................................................rdata...'.......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-multibyte-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30312
Entropy (8bit):	4.96699982894665
Encrypted:	false
SSDEEP:	384:PfhhvLPmIHJI6/CpG3t2G3t4odXLVWqhW2ntNbZR9zQo9eZ:xhPmIHJI69VFT9zO
MD5:	075419431D46DC67932B04A8B91A772F
SHA1:	DB2AF49EE7B6BEC379499B5A80BE39310C6C8425
SHA-256:	3A4B66E65A5EE311AFC37157A8101ABA6017FF7A4355B4DD6E6C71D5B7223560
SHA-512:	76287E0003A396CDA84CE6B206986476F85E927A389787D1D273684167327C41FC0FE5E947175C0DEB382C5ACCF785F867D9FCE1FEA4ABD7D99B201E277D1704
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...Y.g..........." .........P...............................................`.......r....`A............................................. ...........P...............P..h&..............p............................................................................rdata..t".......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	4.883012715268179
Encrypted:	false
SSDEEP:	192:5eXrqjd7ZWqhW3WEXCVWQ4mW3Ql1Lrp0KBQfX01k9z3ALkjY/12:54rgWqhWsP1RxB+R9z2kjY/Y
MD5:	272C0F80FD132E434CDCDD4E184BB1D8
SHA1:	5BC8B7260E690B4D4039FE27B48B2CECEC39652F
SHA-256:	BD943767F3E0568E19FB52522217C22B6627B66A3B71CD38DD6653B50662F39D
SHA-512:	94892A934A92EF1630FBFEA956D1FE3A3BFE687DEC31092828960968CB321C4AB3AF3CAF191D4E28C8CA6B8927FBC1EC5D17D5C8A962C848F4373602EC982CD4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...<SdT.........." .........0...............................................@......N.....`A............................................x............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26208
Entropy (8bit):	5.023753175006074
Encrypted:	false
SSDEEP:	192:4mGqX8mPrpJhhf4AN5/KiFWqhWyzWEXCVWQ4OW4034hHssDX01k9z3AaYX2cWo:4ysyr77WqhWyI0oFDR9z9YH9
MD5:	20C0AFA78836B3F0B692C22F12BDA70A
SHA1:	60BB74615A71BD6B489C500E6E69722F357D283E
SHA-256:	962D725D089F140482EE9A8FF57F440A513387DD03FDC06B3A28562C8090C0BC
SHA-512:	65F0E60136AB358661E5156B8ECD135182C8AAEFD3EC320ABDF9CFC8AEAB7B68581890E0BBC56BAD858B83D47B7A0143FA791195101DC3E2D78956F591641D16
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....TR.........." .........@...............................................P......D!....`A............................................4............@...............@..`&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26232
Entropy (8bit):	5.289041983400337
Encrypted:	false
SSDEEP:	192:UuV2OlkuWYFxEpahfWqhWNWJWadJCsVWQ4mWeX9UfKUSIX01k9z3AEXzGd5S:dV2oFVhfWqhWMCstE2IR9z5Sd5S
MD5:	96498DC4C2C879055A7AFF2A1CC2451E
SHA1:	FECBC0F854B1ADF49EF07BEACAD3CEC9358B4FB2
SHA-256:	273817A137EE049CBD8E51DC0BB1C7987DF7E3BF4968940EE35376F87EF2EF8D
SHA-512:	4E0B2EF0EFE81A8289A447EB48898992692FEEE4739CEB9D87F5598E449E0059B4E6F4EB19794B9DCDCE78C05C8871264797C14E4754FD73280F37EC3EA3C304
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...k. U.........." .........@...............................................P............`A............................................a............@...............@..x&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-string-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26232
Entropy (8bit):	5.284932479906984
Encrypted:	false
SSDEEP:	384:tCLx0C5yguNvZ5VQgx3SbwA7yMVIkFGlTWqhWbQCsMSR9zful:tCV5yguNvZ5VQgx3SbwA71IkFGqHe9zI
MD5:	115E8275EB570B02E72C0C8A156970B3
SHA1:	C305868A014D8D7BBEF9ABBB1C49A70E8511D5A6
SHA-256:	415025DCE5A086DBFFC4CF322E8EAD55CB45F6D946801F6F5193DF044DB2F004
SHA-512:	B97EF7C5203A0105386E4949445350D8FF1C83BDEAEE71CCF8DC22F7F6D4F113CB0A9BE136717895C36EE8455778549F629BF8D8364109185C0BF28F3CB2B2CA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.... .h.........." .........@...............................................P......\.....`A.........................................................@...............@..x&..............p............................................................................rdata.._........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-time-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22120
Entropy (8bit):	5.253102285412285
Encrypted:	false
SSDEEP:	192:mt3hwDGWqhWrWEXCVWQ4mWn+deyttuX01k9z3A23x:AWqhWgPSR9zfh
MD5:	001E60F6BBF255A60A5EA542E6339706
SHA1:	F9172EC37921432D5031758D0C644FE78CDB25FA
SHA-256:	82FBA9BC21F77309A649EDC8E6FC1900F37E3FFCB45CD61E65E23840C505B945
SHA-512:	B1A6DC5A34968FBDC8147D8403ADF8B800A06771CC9F15613F5CE874C29259A156BAB875AAE4CAAEC2117817CE79682A268AA6E037546AECA664CD4EEA60ADBF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...G............" .........0...............................................@.......&....`A.........................................................0...............0..h&..............p............................................................................rdata..=...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\api-ms-win-crt-utility-l1-1-0.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22136
Entropy (8bit):	4.810971823417463
Encrypted:	false
SSDEEP:	192:p/fHQduDWqhWJWJWadJCsVWQ4mWxrnyttuX01k9z3A2Yv6WT:p/ftWqhWoCsmySR9zfYvvT
MD5:	A0776B3A28F7246B4A24FF1B2867BDBF
SHA1:	383C9A6AFDA7C1E855E25055AAD00E92F9D6AAFF
SHA-256:	2E554D9BF872A64D2CD0F0EB9D5A06DEA78548BC0C7A6F76E0A0C8C069F3C0A9
SHA-512:	7C9F0F8E53B363EF5B2E56EEC95E7B78EC50E9308F34974A287784A1C69C9106F49EA2D9CA037F0A7B3C57620FCBB1C7C372F207C68167DF85797AFFC3D7F3BA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......^.....`A............................................^............0...............0..x&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\attrs-24.2.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI78482\attrs-24.2.0.dist-info\METADATA

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	Unicode text, UTF-8 text, with very long lines (411)
Category:	dropped
Size (bytes):	11524
Entropy (8bit):	5.211520136058075
Encrypted:	false
SSDEEP:	192:ERsUfi6bkQk+k/kKkegToJWicnJsPVA1oz2dv7COmoKTACoEJdQ/0G6lWg+JdQV5:ERsXpLs3VoJWRnJsPvz2dDCHoKsLgA6z
MD5:	49CABCB5F8DA14C72C8C3D00ADB3C115
SHA1:	F575BECF993ECDF9C6E43190C1CB74D3556CF912
SHA-256:	DC9824E25AFD635480A8073038B3CDFE6A56D3073A54E1A6FB21EDD4BB0F207C
SHA-512:	923DAEEE0861611D230DF263577B3C382AE26400CA5F1830EE309BD6737EED2AD934010D61CDD4796618BEDB3436CD772D9429A5BED0A106EF7DE60E114E505C
Malicious:	false
Preview:	Metadata-Version: 2.3.Name: attrs.Version: 24.2.0.Summary: Classes Without Boilerplate.Project-URL: Documentation, https://www.attrs.org/.Project-URL: Changelog, https://www.attrs.org/en/stable/changelog.html.Project-URL: GitHub, https://github.com/python-attrs/attrs.Project-URL: Funding, https://github.com/sponsors/hynek.Project-URL: Tidelift, https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi.Author-email: Hynek Schlawack <hs@ox.cx>.License-Expression: MIT.License-File: LICENSE.Keywords: attribute,boilerplate,class.Classifier: Development Status :: 5 - Production/Stable.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Classifier: Programming Languag

C:\Users\user\AppData\Local\Temp\_MEI78482\attrs-24.2.0.dist-info\RECORD

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	3556
Entropy (8bit):	5.810477636970161
Encrypted:	false
SSDEEP:	96:Q9ewrFmJT/oPynEddwBbCobXm9qGmR5VXzskCGD+qLtxO:2ewBoJCKXGeR/XzIiO
MD5:	8037E693EAFED6C3D0CCE916BABB50C4
SHA1:	2321392AAB7AE3A6A78248E5D5F454124D368EC1
SHA-256:	688073F6556808D9139FEA52BEC3802D8C0D7CE07978B98AAE8DB5C98FACC0DF
SHA-512:	95B9E6B8F946D2617098C338441AFC5A555FF208947D5731E09EE17B959655161C397F57E14827A95A8FD4554DE8C6E426DC316F858510AE4AA7CA8723C4CF51
Malicious:	false
Preview:	attr/__init__.py,sha256=l8Ewh5KZE7CCY0i1iDfSCnFiUTIkBVoqsXjX9EZnIVA,2087..attr/__init__.pyi,sha256=aTVHBPX6krCGvbQvOl_UKqEzmi2HFsaIVm2WKmAiqVs,11434..attr/__pycache__/__init__.cpython-311.pyc,,..attr/__pycache__/_cmp.cpython-311.pyc,,..attr/__pycache__/_compat.cpython-311.pyc,,..attr/__pycache__/_config.cpython-311.pyc,,..attr/__pycache__/_funcs.cpython-311.pyc,,..attr/__pycache__/_make.cpython-311.pyc,,..attr/__pycache__/_next_gen.cpython-311.pyc,,..attr/__pycache__/_version_info.cpython-311.pyc,,..attr/__pycache__/converters.cpython-311.pyc,,..attr/__pycache__/exceptions.cpython-311.pyc,,..attr/__pycache__/filters.cpython-311.pyc,,..attr/__pycache__/setters.cpython-311.pyc,,..attr/__pycache__/validators.cpython-311.pyc,,..attr/_cmp.py,sha256=3umHiBtgsEYtvNP_8XrQwTCdFoZIX4DEur76N-2a3X8,4123..attr/_cmp.pyi,sha256=U-_RU_UZOyPUEQzXE6RMYQQcjkZRY25wTH99sN0s7MM,368..attr/_compat.py,sha256=n2Uk3c-ywv0PkFfGlvqR7SzDXp4NOhWmNV_ZK6YfWoM,2958..attr/_config.py,sha256=z81Vt-GeT_2taxs1XZfmHx9TWlSxjP

C:\Users\user\AppData\Local\Temp\_MEI78482\attrs-24.2.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	87
Entropy (8bit):	4.730668933656452
Encrypted:	false
SSDEEP:	3:RtEeXAaCTQnP+tPCCfA5I:Rt2PcnWBB3
MD5:	52ADFA0C417902EE8F0C3D1CA2372AC3
SHA1:	B67635615EEF7E869D74F4813B5DC576104825DD
SHA-256:	D7215D7625CC9AF60AED0613AAD44DB57EBA589D0CCFC3D8122114A0E514C516
SHA-512:	BFA87E7B0E76E544C2108EF40B9FAC8C5FF4327AB8EDE9FEB2891BD5D38FEA117BD9EEBAF62F6C357B4DEADDAD5A5220E0B4A54078C8C2DE34CB1DD5E00F2D62
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: hatchling 1.25.0.Root-Is-Purelib: true.Tag: py3-none-any.

C:\Users\user\AppData\Local\Temp\_MEI78482\attrs-24.2.0.dist-info\licenses\LICENSE

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1109
Entropy (8bit):	5.104415762129373
Encrypted:	false
SSDEEP:	24:bGf8rUrmJHHH0yN3gtsHw1hC09QHOsUv4eOk4/+/m3oqLFh:bW8rUaJHlxE3dQHOs5exm3ogFh
MD5:	5E55731824CF9205CFABEAB9A0600887
SHA1:	243E9DD038D3D68C67D42C0C4BA80622C2A56246
SHA-256:	882115C95DFC2AF1EEB6714F8EC6D5CBCABF667CAFF8729F42420DA63F714E9F
SHA-512:	21B242BF6DCBAFA16336D77A40E69685D7E64A43CC30E13E484C72A93CD4496A7276E18137DC601B6A8C3C193CB775DB89853ECC6D6EB2956DEEE36826D5EBFE
Malicious:	false
Preview:	The MIT License (MIT)..Copyright (c) 2015 Hynek Schlawack and the attrs contributors..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in all.copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHE

C:\Users\user\AppData\Local\Temp\_MEI78482\base_library.zip

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1440734
Entropy (8bit):	5.590363711484859
Encrypted:	false
SSDEEP:	24576:mQR5pATG8/R5lUKdcubgAnyfb8hd0iwhJdYf9PyetHHA:mQR5pE/RbVc
MD5:	34A1E9C9033D4DBEC9AA8FCE5CF8403F
SHA1:	B6379C9E683CF1B304F5027CF42040892799F377
SHA-256:	4C21ADBCC2A8D8ADC1D4B693017C6276B03CB505BB810F46709D75AC3FB77668
SHA-512:	CEDC5735ECF29A50BADE26040C39B5511E18E6D0A921B05E51EF1C1391B64C43F6D0944DE51E88FAD5A62DB8391C80FBE2D9673FB524F92EA0DBD55E659AC3D6
Malicious:	false
Preview:	PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

C:\Users\user\AppData\Local\Temp\_MEI78482\certifi\cacert.pem

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI78482\charset_normalizer\md.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.8208567868970675
Encrypted:	false
SSDEEP:	96:Y0fK74ACb0xx2uKynu10YLsgxwJiUNiL0U5IZsJFPGDtCFuCQAAZWQcX6g8H4a81:gFCk2z1/t12iwU5usJFKCyHcqgg
MD5:	CBF62E25E6E036D3AB1946DBAFF114C1
SHA1:	B35F91EAF4627311B56707EF12E05D6D435A4248
SHA-256:	06032E64E1561251EA3035112785F43945B1E959A9BF586C35C9EA1C59585C37
SHA-512:	04B694D0AE99D5786FA19F03C5B4DD8124C4F9144CFE7CA250B48A3C0DE0883E06A6319351AE93EA95B55BBBFA69525A91E9407478E40AD62951F1D63D45FF18
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................X......o..............o.......o.......o......j..............n......n......n4.....n......Rich....................PE..d....#.g.........." ...).....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	121344
Entropy (8bit):	5.899699901799497
Encrypted:	false
SSDEEP:	3072:3Ives1m094QtwqlaZTwuQMS/Pf+vGTVmEU:3PsQIJmE
MD5:	BAC273806F46CFFB94A84D7B4CED6027
SHA1:	773FBC0435196C8123EE89B0A2FC4D44241FF063
SHA-256:	1D9ABA3FF1156EA1FBE10B8AA201D4565AE6022DAF2117390D1D8197B80BB70B
SHA-512:	EAEC1F072C2C0BC439AC7B4E3AEA6E75C07BD4CD2D653BE8500BBFFE371FBFE045227DAEAD653C162D972CCAADFF18AC7DA4D366D1200618B0291D76E18B125C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........yB............................................................................................Rich...........................PE..d....#.g.........." ...).2..........@4.......................................0............`.............................................d...d...................p............ ......@...................................@............P...............................text...x0.......2.................. ..`.rdata...Y...P...Z...6..............@..@.data....=.......0..................@....pdata..p...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\cryptography-43.0.3.dist-info\INSTALLER

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI78482\cryptography-43.0.3.dist-info\METADATA

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	5440
Entropy (8bit):	5.074230645519915
Encrypted:	false
SSDEEP:	96:DloQIUQIhQIKQILbQIRIaMPktjaVxsxA2TLLDmplH7dwnqTIvrUmA0JQTQCQx5KN:RcPuP1srTLLDmplH7JTIvYX0JQTQ9x54
MD5:	C891CD93024AF027647E6DE89D0FFCE2
SHA1:	01D8D6F93F1B922A91C82D4711BCEFB885AD47B0
SHA-256:	EB36E0E4251E8479EF36964440755EF22BEDD411BA87A93F726FA8E5BB0E64B0
SHA-512:	3386FBB3DCF7383B2D427093624C531C50BE34E3E0AA0984547B953E04776D0D431D5267827F4194A9B0AD1AB897869115623E802A6A1C5D2AE1AD82C96CCE71
Malicious:	false
Preview:	Metadata-Version: 2.3.Name: cryptography.Version: 43.0.3.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: License :: OSI Approved :: BSD License.Classifier: Natural Language :: English.Classifier: Operating System :: MacOS :: MacOS X.Classifier: Operating System :: POSIX.Classifier: Operating System :: POSIX :: BSD.Classifier: Operating System :: POSIX :: Linux.Classifier: Operating System :: Microsoft :: Windows.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Classif

C:\Users\user\AppData\Local\Temp\_MEI78482\cryptography-43.0.3.dist-info\RECORD

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	15485
Entropy (8bit):	5.562409393703148
Encrypted:	false
SSDEEP:	192:1XxTBjWz5jF4ELZVhXau4WPE6FGotqw++NX6in55qw/n+B:1XXjWhCEJaiPE6FGotqw++96in5+B
MD5:	13F4AAA0BE473C30F1FCFE7C1E5CC75C
SHA1:	D542DDD6490DE41A96F53579F021EE633B32A4AA
SHA-256:	5AC071DBE59CB47B67628486C36D8E477CB152A2120147B94197EA5142EC3804
SHA-512:	E4E19893A650F91706A472875C398D014AB103D55D065F3D6E9E3AF24AE8D12B87D61C1D1C9C040819E1B9F19A88850780DBA1ED49D380A6273D164169013040
Malicious:	false
Preview:	cryptography-43.0.3.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-43.0.3.dist-info/METADATA,sha256=6zbg5CUehHnvNpZEQHVe8ivt1BG6h6k_cm-o5bsOZLA,5440..cryptography-43.0.3.dist-info/RECORD,,..cryptography-43.0.3.dist-info/WHEEL,sha256=8_4EnrLvbhzH224YH8WypoB7HFn-vpbwr_zHlr3XUBI,94..cryptography-43.0.3.dist-info/license_files/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-43.0.3.dist-info/license_files/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-43.0.3.dist-info/license_files/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography/__about__.py,sha256=-FkHKD9mSuEfH37wsSKnQzJZmL5zUAUTpB5OeUQjPE0,445..cryptography/__init__.py,sha256=mthuUrTd4FROCpUYrTIqhjz6s6T9djAZrV7nZ1oMm2o,364..cryptography/__pycache__/__about__.cpython-311.pyc,,..cryptography/__pycache__/__init__.cpython-311.pyc,,..cryptography/__pycache__/exceptions.cpython-311.pyc,,..cryptography/__p

C:\Users\user\AppData\Local\Temp\_MEI78482\cryptography-43.0.3.dist-info\WHEEL

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	5.016084900984752
Encrypted:	false
SSDEEP:	3:RtEeX5pGogP+tkKciH/KQb:RtvoTWKTQb
MD5:	C869D30012A100ADEB75860F3810C8C9
SHA1:	42FD5CFA75566E8A9525E087A2018E8666ED22CB
SHA-256:	F3FE049EB2EF6E1CC7DB6E181FC5B2A6807B1C59FEBE96F0AFFCC796BDD75012
SHA-512:	B29FEAF6587601BBE0EDAD3DF9A87BFC82BB2C13E91103699BABD7E039F05558C0AC1EF7D904BCFAF85D791B96BC26FA9E39988DD83A1CE8ECCA85029C5109F0
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: maturin (1.7.0).Root-Is-Purelib: false.Tag: cp39-abi3-win_amd64.

C:\Users\user\AppData\Local\Temp\_MEI78482\cryptography-43.0.3.dist-info\license_files\LICENSE

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	197
Entropy (8bit):	4.61968998873571
Encrypted:	false
SSDEEP:	3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
MD5:	8C3617DB4FB6FAE01F1D253AB91511E4
SHA1:	E442040C26CD76D1B946822CAF29011A51F75D6D
SHA-256:	3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
SHA-512:	77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
Malicious:	false
Preview:	This software is made available under the terms of either of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of both these licenses..

C:\Users\user\AppData\Local\Temp\_MEI78482\cryptography-43.0.3.dist-info\license_files\LICENSE.APACHE

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11360
Entropy (8bit):	4.426756947907149
Encrypted:	false
SSDEEP:	192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
MD5:	4E168CCE331E5C827D4C2B68A6200E1B
SHA1:	DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
SHA-256:	AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
SHA-512:	F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

C:\Users\user\AppData\Local\Temp\_MEI78482\cryptography-43.0.3.dist-info\license_files\LICENSE.BSD

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1532
Entropy (8bit):	5.058591167088024
Encrypted:	false
SSDEEP:	24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
MD5:	5AE30BA4123BC4F2FA49AA0B0DCE887B
SHA1:	EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
SHA-256:	602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
SHA-512:	DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
Malicious:	false
Preview:	Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

C:\Users\user\AppData\Local\Temp\_MEI78482\cryptography\hazmat\bindings\_rust.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7834624
Entropy (8bit):	6.517862303223651
Encrypted:	false
SSDEEP:	49152:oFNZj7fIo9W67PapgzJTkrXyzNzpXAbuiqCgIns3mYEXEqMrIU6i7GtlqdVwASO/:QI9X/gIFYEXME+oFNr5VQCJheq4BsxH
MD5:	BFD28B03A4C32A9BCB001451FD002F67
SHA1:	DD528FD5F4775E16B2E743D3188B66F1174807B2
SHA-256:	8EF0F404A8BFF12FD6621D8F4F209499613F565777FE1C2A680E8A18F312D5A7
SHA-512:	6DC39638435F147B399826E34F78571D7ED2ED1232275E213A2B020224C0645E379F74A0CA5DE86930D3348981C8BB03BBBECFA601F8BA781417E7114662DDEE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.b.6...6...6...?..$...&9..4...&9..2...&9..>...&9..'...}...8...Y<..5...6...2...~8..I...6.......~8..7...~8..7...Rich6...........PE..d......g.........." ...)..Y..$........W.......................................w...........`..........................................q.....l.q.............. s...............w......zi.T....................{i.(...Pyi.@.............Y..............................text...k.Y.......Y................. ..`.rdata...A....Y..B....Y.............@..@.data...@+....q.......q.............@....pdata....... s.......r.............@..@.reloc........w.......v.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\frozenlist\_frozenlist.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	87040
Entropy (8bit):	5.923038424678
Encrypted:	false
SSDEEP:	1536:qundZwmaApD60dSpyT4DIk54S85QwvpC/vNZAg:nLwUpzAczh+wvpqvNZP
MD5:	E8CADECD9A3684DBA357FC0489C62492
SHA1:	4C488D097A85F9BC61F842E3DCF42E228B9885B3
SHA-256:	02053F53EB078BE1488735878DC68524F0E103342250A09EECAE3533D8E9C770
SHA-512:	2443C90931A9AD672938D13C60FDB564EE8AA9FCA85E0426445CE36C395AC9675B6F6488518FF16071731CF8E9A0C2F8DD3182120FD9A7DAF6FD2EE813D2C781
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.5...f...f...f.dDf...f...g...f.d.g...f...g...f...g...f...g...f..g...f...f2..f..g...f..g...f.(f...f..g...fRich...f................PE..d......g.........." ...).....v............................................................`.........................................`7..h....7..x............p..X....................&..............................`%..@...............@............................text............................... ..`.rdata...J.......L..................@..@.data........P.......6..............@....pdata..X....p.......D..............@..@.rsrc................P..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\libcrypto-3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5162776
Entropy (8bit):	5.958207976652471
Encrypted:	false
SSDEEP:	98304:S3+FRtLtlVriXpshX179Cahd4tC9P1+1CPwDvt3uFlDCi:ASRtLtvd99Cahd4tC9w1CPwDvt3uFlDz
MD5:	51E8A5281C2092E45D8C97FBDBF39560
SHA1:	C499C810ED83AAADCE3B267807E593EC6B121211
SHA-256:	2A234B5AA20C3FAECF725BBB54FB33F3D94543F78FA7045408E905593E49960A
SHA-512:	98B91719B0975CB38D3B3C7B6F820D184EF1B64D38AD8515BE0B8B07730E2272376B9E51631FE9EFD9B8A1709FEA214CF3F77B34EEB9FD282EB09E395120E7CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d...x..e.........." ...#..6..*......v.........................................O.......O...`.........................................0.G.0.....M.@....0N.\|.....K.\.....N../...@N.....PsC.8............................qC.@.............M..............................text...4.6.......6................. ..`.rdata..`.....6.......6.............@..@.data....n....J..<....J.............@....pdata........K.......J.............@..@.idata...%....M..&....M.............@..@.00cfg..u.... N.......M.............@..@.rsrc...\|....0N.......M.............@..@.reloc..k....@N.......M.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\libffi-8.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\libssl-3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	790296
Entropy (8bit):	5.607732992846443
Encrypted:	false
SSDEEP:	6144:7aO1lo7USZGjweMMHO4+xuVg7gCl2VdhMd1DdwMVn4TERUr3zgKpJJ/wknofFe9A:FkeMKOr97gCAE35gEGzLpwknofFe9XbE
MD5:	BFC834BB2310DDF01BE9AD9CFF7C2A41
SHA1:	FB1D601B4FCB29FF1B13B0D2ED7119BD0472205C
SHA-256:	41AD1A04CA27A7959579E87FBBDA87C93099616A64A0E66260C983381C5570D1
SHA-512:	6AF473C7C0997F2847EBE7CEE8EF67CD682DEE41720D4F268964330B449BA71398FDA8954524F9A97CC4CDF9893B8BDC7A1CF40E9E45A73F4F35A37F31C6A9C3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T..T..T..].3.Z....V......V....X....\....P....W..T..I....e....U.._.U....U..RichT..........PE..d......e.........." ...#.6..........K........................................0.......w....`..........................................w...Q..............s.... ..pM......./......`... ...8...............................@............................................text....4.......6.................. ..`.rdata...y...P...z...:..............@..@.data....N.......H..................@....pdata..XV... ...X..................@..@.idata..bc.......d...T..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..?...........................@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\lz4-4.3.3.dist-info\INSTALLER

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI78482\lz4-4.3.3.dist-info\LICENSE

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1523
Entropy (8bit):	5.162397061365918
Encrypted:	false
SSDEEP:	24:oY3UnzobbOmFTVJcFTzA6GLQrBTP49H432sZEOkHs8nRO632smyxtTfr10VZlQfS:ROmJIJzSEP6H432smp32smEtP10VwHy
MD5:	2F7382E069BEAC97D607124540FD5661
SHA1:	1684541BA4AF5542BA7E6490C25882CA125A1C47
SHA-256:	A7D65D1DD4DCC86DCA5D17D46AA4A1C77669C9B72F55F298E9E2212F2905C0CF
SHA-512:	4BD08A47B9B67098E38895E96136B3A5EE4711DEF8EB6AC87B522F2A024FC7F22EA4B53E048C2BB3F636EA81CD0814B53B4E20361EBC1A8CDE1C8E57F7A76089
Malicious:	false
Preview:	Copyright (c) 2012-2013, Steeve Morin..All rights reserved.....Redistribution and use in source and binary forms, with or without..modification, are permitted provided that the following conditions are met:....1. Redistributions of source code must retain the above copyright notice,.. this list of conditions and the following disclaimer.....2. Redistributions in binary form must reproduce the above copyright notice,.. this list of conditions and the following disclaimer in the documentation.. and/or other materials provided with the distribution.....3. Neither the name of Steeve Morin nor the names of its contributors may be.. used to endorse or promote products derived from this software without.. specific prior written permission.....THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"..AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE..IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE..ARE DISCLAIMED.

C:\Users\user\AppData\Local\Temp\_MEI78482\lz4-4.3.3.dist-info\METADATA

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3758
Entropy (8bit):	5.092767270997029
Encrypted:	false
SSDEEP:	96:DdPHo8lGovhSaWMqCBAInB8fhfxF914CAXTzbIYB/HF4s1LWlAjC:tHoczVBAu6fhft15AzjlLLC
MD5:	3D855AD86A99255B3248D88C524148FC
SHA1:	1ADBA31F74CC4BA33AD9AE31EE29CABA66EB4D93
SHA-256:	612E3D4394DFDCA3E93C74FF02ABC012757279F7BA879D875BEE58F643A45FFE
SHA-512:	99E0C5E2DD734CBB653FDFC80C8F568EEEFAAAEF83BA92431DCE97770077759A0550FA6FC58EC3F86C67774CA9F02C0EC33164B4471DB2D659202979C868A4EF
Malicious:	false
Preview:	Metadata-Version: 2.1..Name: lz4..Version: 4.3.3..Summary: LZ4 Bindings for Python..Home-page: https://github.com/python-lz4/python-lz4..Author: Jonathan Underwood..Author-email: jonathan.underwood@gmail.com..Classifier: Development Status :: 5 - Production/Stable..Classifier: License :: OSI Approved :: BSD License..Classifier: Intended Audience :: Developers..Classifier: Programming Language :: C..Classifier: Programming Language :: Python..Classifier: Programming Language :: Python :: 3.8..Classifier: Programming Language :: Python :: 3.9..Classifier: Programming Language :: Python :: 3.10..Classifier: Programming Language :: Python :: 3.11..Classifier: Programming Language :: Python :: 3.12..Requires-Python: >=3.8..License-File: LICENSE..Provides-Extra: docs..Requires-Dist: sphinx >=1.6.0 ; extra == 'docs'..Requires-Dist: sphinx-bootstrap-theme ; extra == 'docs'..Provides-Extra: flake8..Requires-Dist: flake8 ; extra == 'flake8'..Provides-Extra: tests..Requires-Dist: pytest !=3.3.0 ;

C:\Users\user\AppData\Local\Temp\_MEI78482\lz4-4.3.3.dist-info\RECORD

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	5.865132521742272
Encrypted:	false
SSDEEP:	24:on/2zDBvNGAt5OjUyWolSl1xp++ihiB5YJ+SdX54nhOZH58lFc:onuXBZqjUhocllkiHYA+54nYZH5iFc
MD5:	5767B79313C4C7634B59A06B711F4A2F
SHA1:	906B83790268C9042874E5E05DC7C0CF57106E1C
SHA-256:	BB6AB4126ED02B0B83CC89FCF371C9D5F4BC927DE87632245007569ED49F6D3D
SHA-512:	8B93C1D32CD84AAC9B0E5358B84A498C524FD45E365CE088AA3A8A0D8D1B4916B053A1628BAE63111C13AFFFD367CF5AFA3437106F83968B11F34E9A1E5D8BB6
Malicious:	false
Preview:	lz4-4.3.3.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..lz4-4.3.3.dist-info/LICENSE,sha256=p9ZdHdTcyG3KXRfUaqShx3ZpybcvVfKY6eIhLykFwM8,1523..lz4-4.3.3.dist-info/METADATA,sha256=YS49Q5Tf3KPpPHT_AqvAEnVyefe6h52HW-5Y9kOkX_4,3758..lz4-4.3.3.dist-info/RECORD,,..lz4-4.3.3.dist-info/WHEEL,sha256=ircjsfhzblqgSzO8ow7-0pXK-RVqDqNRGQ8F650AUNM,102..lz4-4.3.3.dist-info/top_level.txt,sha256=cX6_gxFUdNSo40TfxrGpTCgu7epGm3yW3m2k7irTDzI,4..lz4/__init__.py,sha256=e_8j-K4TJx38qcPNjoZP_pNDo8IpE4D2ZWl4p50iV_8,646..lz4/__pycache__/__init__.cpython-311.pyc,,..lz4/__pycache__/version.cpython-311.pyc,,..lz4/_version.cp311-win_amd64.pyd,sha256=BXu927P5cO4vjggWtfvZIvPt6wgmoQUK9Cd_j9ngmks,11264..lz4/block/__init__.py,sha256=DSUbS7zMlKKeLs8JO9riOBO5Q_lVoSB-nwgjfhBeXt0,71..lz4/block/__pycache__/__init__.cpython-311.pyc,,..lz4/block/_block.cp311-win_amd64.pyd,sha256=N8neJ86OtjJrV98ODkd4GPyX1va57JBvAp6OU41xM9c,76800..lz4/frame/__init__.py,sha256=ZnJ4sJ1HStPpmJpo0q_CGm9fDEui3Tt3V8DmMi68SZM,

C:\Users\user\AppData\Local\Temp\_MEI78482\lz4-4.3.3.dist-info\WHEEL

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	102
Entropy (8bit):	5.0254896858991245
Encrypted:	false
SSDEEP:	3:RtEeX7MWcSlVlbY3KgP+tkKcfxLQLn:RtBMwlVCxWK5NQLn
MD5:	4F7020292A2B5B7F3BCC9B1F5B5AFEB4
SHA1:	D2C2D48CCB76629F7604B9881357F129D76F635F
SHA-256:	8AB723B1F8736E5AA04B33BCA30EFED295CAF9156A0EA351190F05EB9D0050D3
SHA-512:	4D7598EEC10105C1826732DC78FC89850A7343B733A5441DDB53606F8BA7A15C8F058C6C9C0C0EE99951B383BB30C94279FDCE7F0E588A70367DC46D3C672E20
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp311-cp311-win_amd64..

C:\Users\user\AppData\Local\Temp\_MEI78482\lz4-4.3.3.dist-info\top_level.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:fn:f
MD5:	194B36A8466E4650490040D599B09C0E
SHA1:	4CB4A2C46E9892B8A712716F9B42537D1962BBB4
SHA-256:	717EBF83115474D4A8E344DFC6B1A94C282EEDEA469B7C96DE6DA4EE2AD30F32
SHA-512:	C55B2D3D46EC558533B4019DFFA87B1F93E7866DBCDE8D00243D8C54F1A3094933256BD25EAA0333D6EC4B308F1A4C92630BBEF6E10BE7892774DCCF5556FE77
Malicious:	false
Preview:	lz4.

C:\Users\user\AppData\Local\Temp\_MEI78482\lz4\_version.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.696226726378701
Encrypted:	false
SSDEEP:	96:VkW+7TRSsA2zVJoYeEw0VTmrgJyUCN5XsMtEZqfH/OZYUo8/NcX6gZYPV:KHRSsvZJ5YNRZEZqn0YUHNcqg4
MD5:	44229B69D9EE7308DA5D880081A1CB75
SHA1:	AEF85718A2658629A7FB399E3D4AED0001409182
SHA-256:	057BBDDBB3F970EE2F8E0816B5FBD922F3EDEB0826A1050AF4277F8FD9E09A4B
SHA-512:	0622A64DA707BCF8EE5E2EA48EFACC3EBB70A4DB16F50DD26DD407AAFC178D0AB443651F38B67B1423C4024E5C1D339509049FB0D2C759659AB980B92D8F9F66
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y7..8Y..8Y..8Y..@...8Y..GX..8Y.@X..8Y..G\..8Y..G]..8Y..GZ..8Y.7EX..8Y..8X..8Y..Q..8Y..Y..8Y.....8Y..[..8Y.Rich.8Y.........................PE..d....@.e.........." ...%.....................................................p............`.........................................p..`......d....P.......@...............`..D...p%..............................0$..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..D....`.......*..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\lz4\block\_block.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	76800
Entropy (8bit):	6.201674022552313
Encrypted:	false
SSDEEP:	1536:+V4xVkjuE0OoP2gFMg/Bc/0amC8p7g4PvjmfO3+oO3h7Xxtu:Pxyjp4Pnfc/ypEaL+O3+oo9Xxtu
MD5:	910C0ED11E93D4EF003ED0065A31164A
SHA1:	CE3D5B6B289F77F95AF3B60B436FBD9CE821AF2F
SHA-256:	37C9DE27CE8EB6326B57DF0E0E477818FC97D6F6B9EC906F029E8E538D7133D7
SHA-512:	6D9A9C17B22815B3453E4CA42BC1579448B175F55CC52ECE876F20699BC5DA193E075E86A9B063745797F39D988C457ED56B997DF023EAE9F68BD31E7543F2FE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r?Xk6^686^686^68?&.80^68#!794^68}&794^68#!39:^68#!29>^68#!592^68.#795^686^78.^68..>95^68..697^68...87^68..497^68Rich6^68................PE..d....@.e.........." ...%.....8............................................................`..........................................-..\....-.......`.......P..P............p..d....$..............................@#..@............................................text...(........................... ..`.rdata...$.......&..................@..@.data...p....@....... ..............@....pdata..P....P......."..............@..@.rsrc........`.......(..............@..@.reloc..d....p.......*..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\multidict\_multidict.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	47616
Entropy (8bit):	5.315276044408234
Encrypted:	false
SSDEEP:	768:j2vE6F6hmSrnDe651sYEYMXB/6BvE6n0/d3g:jAoVDeWlE5/6BvDni
MD5:	ECC0B2FCDA0485900F4B72B378FE4303
SHA1:	40D9571B8927C44AF39F9D2AF8821F073520E65A
SHA-256:	BCBB43CE216E38361CB108E99BAB86AE2C0F8930C86D12CADFCA703E26003CB1
SHA-512:	24FD07EB0149CB8587200C055F20FF8C260B8E626693C180CBA4E066194BED7E8721DDE758B583C93F7CB3D691B50DE6179BA86821414315C17B3D084D290E70
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~..T:l..:l..:l..3.?.8l....8l..q...8l....9l....2l....6l..U..9l..:l..Ll..r..;l..r..;l..r.S.;l..r..;l..Rich:l..........................PE..d...;}.f.........." ...).\...`......`^....................................................`.............................................d.......d...............................L.......................................@............p...............................text....Z.......\.................. ..`.rdata...,...p.......`..............@..@.data....#..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..L...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\propcache\_helpers_c.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	74752
Entropy (8bit):	5.864853826664042
Encrypted:	false
SSDEEP:	1536:kvue4NaxmMtgkBiNWXT+z6eNO/oNJ67bScEq:kvuezmMtgSyWD4NsnbScE
MD5:	04444380B89FB22B57E6A72B3AE42048
SHA1:	CFE9C662CB5CA1704E3F0763D02E0D59C5817D77
SHA-256:	D123D7FEFDE551C82EB61454D763177322E5CE1EAA65DC489E19DE5AB7FAF7B4
SHA-512:	9E7D367BAB0F6CC880C5870FDCDB06D9A9E5EB24EBA489CA85549947879B0FA3C586779FFCEA0FCA4C50AA67DAD098E7BD9E82C00E2D00412D9441991267D2DA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..T.l...l...l....?..l......l..Q....l......l......l......l..u...l...l...l..R...l..R...l..R.S..l..R...l..Rich.l..................PE..d......g.........." ...).....l......P........................................p............`.........................................`...d.......d....P.......@..H............`..T.......................................@............................................text............................... ..`.rdata...E.......F..................@..@.data........ ......................@....pdata..H....@......................@..@.rsrc........P....... ..............@..@.reloc..T....`......."..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	5.909510426434191
Encrypted:	false
SSDEEP:	1536:aJsHmR02IvVxv7WCyKm7c5Th4MBHTOvyyaZE:apIvryCyKx5Th4M5OvyyO
MD5:	3E579844160DE8322D574501A0F91516
SHA1:	C8DE193854F7FC94F103BD4AC726246981264508
SHA-256:	95F01CE7E37F6B4B281DBC76E9B88F28A03CB02D41383CC986803275A1CD6333
SHA-512:	EE2A026E8E70351D395329C78A07ACB1B9440261D2557F639E817A8149BA625173EF196AED3D1C986577D78DC1A7EC9FED759C19346C51511474FE6D235B1817
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nT..5..5..5..#M2. 5..x@..(5..x@..&5..x@.."5..x@...5...k..(5..aM..;5..5...5...@..:5...@..+5...@^.+5...@..+5..Rich*5..................PE..d.....qf.........." .........h......\........................................@............`.........................................0...`.......@.... .......................0..(.......................................8............................................text...h........................... ..`.rdata..\I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\pyexpat.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	199448
Entropy (8bit):	6.37860626187966
Encrypted:	false
SSDEEP:	6144:JmRBHO1UpyGKEjQxmMLIQjmuMgk6k6k6k6k6k6jHlDX:JmRBHJS7Mgk6k6k6k6k6k6jFDX
MD5:	6527063F18E8D49D04E2CC216C2F0B27
SHA1:	917C349C62689F9B782A314CE4B2311B6B826606
SHA-256:	5604F629523125904909547A97F3CDB5DBFE33B39878BAD77534DE0C3C034387
SHA-512:	67C87D11683A0F4E1BC4083FF05EDEE423155F829051C3FA66CC4F2CFB98CF7374B3A06EB37095E19F5F2A6C8DA83F0C0E3F7EB964694992B525F81B1B00F423
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................g.................................h.......................h.......h.......h.......h.......Rich....................PE..d......e.........." ...#..................................................... ......X.....`.............................................P................................/..........`3..T........................... 2..@............ ...............................text...3........................... ..`.rdata....... ......................@..@.data...@!..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\python3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67352
Entropy (8bit):	6.1462717896521335
Encrypted:	false
SSDEEP:	768:lGw/EsYpkVgBaz57kcDA7QKFmpz7cnzH/ks/KF61xubwmB1Cf//yhC74JFmpktJa:r/5k8cnzeJd9IVL0v7SyJwx/
MD5:	D8BA00C1D9FCC7C0ABBFFB5C214DA647
SHA1:	5FA9D5700B42A83BFCC125D1C45E0111B9D62035
SHA-256:	E45452EFA356DB874F2E5FF08C9CC0FE22528609E5D341F8FB67BA48885AB77D
SHA-512:	DF1B714494856F618A742791EEFBF470B2EEE07B51D983256E4386EA7D48DA5C7B1E896F222EA55A748C9413203886CDE3A65EF9E7EA069014FA626F81D79CD3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C..."e.."e.."e.0_m.."e.0_e.."e.0_..."e.0_g.."e.Rich."e.................PE..d......e.........." ...#.................................................................`.........................................`...P................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\python311.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5763864
Entropy (8bit):	6.089317968812699
Encrypted:	false
SSDEEP:	98304:CdT9zf0+IXY3qd4biqm46oWHrMGYPtA81:CdT9zflIXgq/epGWAs
MD5:	65E381A0B1BC05F71C139B0C7A5B8EB2
SHA1:	7C4A3ADF21EBCEE5405288FC81FC4BE75019D472
SHA-256:	53A969094231B9032ABE4148939CE08A3A4E4B30B0459FC7D90C89F65E8DCD4A
SHA-512:	4DB465EF927DFB019AB6FAEC3A3538B0C3A8693EA3C2148FD16163BF31C03C899DFDF350C31457EDF64E671E3CC3E46851F32F0F84B267535BEBC4768EF53D39
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... ..qN.qN.qN.$.O.qN.$...qN.$.K.qN.$.J.qN.$.M.qN....qN...O.qN.qO..pN.B.C.]qN.B.N.qN.B...qN.B.L.qN.Rich.qN.........PE..d......e.........." ...#.R%..>7......=........................................\.....T.X...`...........................................@......[A......p[.......V../....W../....[.lC....).T...........................p.).@............p%..............................text...ZQ%......R%................. ..`.rdata.......p%......V%.............@..@.data....#....A..T...fA.............@....pdata.../....V..0....Q.............@..@PyRuntim......X.......S.............@....rsrc........p[......vV.............@..@.reloc..lC....[..D....V.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\pywin32_system32\pythoncom311.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	670208
Entropy (8bit):	6.035999626973864
Encrypted:	false
SSDEEP:	12288:ngSkceIv3zBJBQoXNi4LCQqAOffa1tpd5g:gSkc/v3zB9NiEWfa
MD5:	31C1BF2ACA5DF417F6CE2618C3EEFE7E
SHA1:	4C2F7FE265FF28396D03BA0CAB022BBD1785DBF2
SHA-256:	1DAF7C87B48554F1481BA4431102D0429704832E42E3563501B1FFDD3362FCD1
SHA-512:	5723145F718CC659ADD658BA545C5D810E7032842907BAB5C2335E3DE7F20FE69B58AA42512FD67EA8C6AA133E59E0C26BD90700BDD0D0171AF6C1E1C73A2719
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."..~f..-f..-f..-o..-l..-4..,b..-4..,q..-4..,n..-4..,b..-...,d..--..,k..-...,d..--..,o..-f..-5..-...,7..-...,g..-...,g..-Richf..-................PE..d...&..g.........." ......................................................................`..........................................U...c..(...........l....@...z............... ..P...T...............................8............................................text............................... ..`.rdata..x$.......&..................@..@.data....I..........................@....pdata...z...@...\|..................@..@.rsrc...l...........................@..@.reloc... ......."..................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\pywin32_system32\pywintypes311.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	134656
Entropy (8bit):	5.999117329459055
Encrypted:	false
SSDEEP:	3072:kLcVKY3tOSjPenBttgY/r06Yr27vJmxETaTX7wevxJ:kLcVKY3tOWPxY/rkqzJmxEmTXMev
MD5:	5D67ABF69A8939D13BEFB7DE9889B253
SHA1:	BCBBF88C05732D4E1E3811FD312425C1C92018D1
SHA-256:	615EB8A75F9ED9371A59DA8F31E27EE091C013DB0B9164A5124CA0656EA47CB4
SHA-512:	FA34EB05996C41F23524A8B4F1FAED0BDD41224D8E514AA57D568A55D2044C32798C1357F22C72AD79FD02948CAAD89B98B8E9B0AD2927E4A0169739335271CE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I+.j'x.j'x.j'x...x.j'x..&y.j'x...x.j'x.."y.j'x..#y.j'x..$y.j'x..#y.j'x..&y.j'x..&y.j'x.j&xCj'xk..y.j'xk.'y.j'xk.%y.j'xRich.j'x................PE..d......g.........." ................,........................................P............`..........................................u..lB......,....0..l.......L............@..0....Q..T............................R..8............................................text...y........................... ..`.rdata..............................@..@.data....-.......(..................@....pdata..L...........................@..@.rsrc...l....0......................@..@.reloc..0....@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\select.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30488
Entropy (8bit):	6.582368880935187
Encrypted:	false
SSDEEP:	768:neUeJhHq2GD9IVQGA5YiSyv3g+AMxkEdC:neUeJhK2GD9IVQGS7SyfgMxRC
MD5:	8472D39B9EE6051C961021D664C7447E
SHA1:	B284E3566889359576D43E2E0E99D4ACF068E4FB
SHA-256:	8A9A103BC417DEDE9F6946D9033487C410937E1761D93C358C1600B82F0A711F
SHA-512:	309F1EC491D9C39F4B319E7CE1ABDEDF11924301E4582D122E261E948705FB71A453FEC34F63DF9F9ABE7F8CC2063A56CD2C2935418AB54BE5596AADC2E90AD3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t.q\|'.q\|'.q\|'...'.q\|'q.}&.q\|'q.y&.q\|'q.x&.q\|'q..&.q\|'..}&.q\|'.q}'.q\|'..}&.q\|'..q&.q\|'..\|&.q\|'...'.q\|'..~&.q\|'Rich.q\|'........PE..d......e.........." ...#.....2......................................................;.....`..........................................@..L...,A..x....p.......`.......H.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\setuptools-65.5.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI78482\setuptools-65.5.0.dist-info\LICENSE

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1050
Entropy (8bit):	5.072538194763298
Encrypted:	false
SSDEEP:	24:1rmJHcwH0MP3gt8Hw1hj9QHOsUv4eOk4/+/m3oqMSFJ:1aJ8YHvEH5QHOs5exm3oEFJ
MD5:	7A7126E068206290F3FE9F8D6C713EA6
SHA1:	8E6689D37F82D5617B7F7F7232C94024D41066D1
SHA-256:	DB3F0246B1F9278F15845B99FEC478B8B506EB76487993722F8C6E254285FAF8
SHA-512:	C9F0870BC5D5EFF8769D9919E6D8DDE1B773543634F7D03503A9E8F191BD4ACC00A97E0399E173785D1B65318BAC79F41D3974AE6855E5C432AC5DACF8D13E8A
Malicious:	false
Preview:	Copyright Jason R. Coombs..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to.deal in the Software without restriction, including without limitation the.rights to use, copy, modify, merge, publish, distribute, sublicense, and/or.sell copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING.FROM, OUT OF OR IN CONNECTION WITH THE SOFTW

C:\Users\user\AppData\Local\Temp\_MEI78482\setuptools-65.5.0.dist-info\METADATA

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	6301
Entropy (8bit):	5.107162422517841
Encrypted:	false
SSDEEP:	192:W4rkAIG0wRg8wbNDdq6T9927uoU/GBpHFwTZ:Sq0wRg8wbNDdBh927uoU/GBRFi
MD5:	9E59BD13BB75B38EB7962BF64AC30D6F
SHA1:	70F6A68B42695D1BFA55ACB63D8D3351352B2AAC
SHA-256:	80C7A3B78EA0DFF1F57855EE795E7D33842A0827AA1EF4EE17EC97172A80C892
SHA-512:	67AC61739692ECC249EBDC8F5E1089F68874DCD65365DB1C389FDD0CECE381591A30B99A2774B8CAAA00E104F3E35FF3745AFF6F5F0781289368398008537AE7
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: setuptools.Version: 65.5.0.Summary: Easily download, build, install, upgrade, and uninstall Python packages.Home-page: https://github.com/pypa/setuptools.Author: Python Packaging Authority.Author-email: distutils-sig@python.org.Project-URL: Documentation, https://setuptools.pypa.io/.Project-URL: Changelog, https://setuptools.pypa.io/en/stable/history.html.Keywords: CPAN PyPI distutils eggs package management.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Topic :: Software Development :: Libraries :: Python Modules.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: Topic :: System :: Systems Administration.Classifier: Topic :: Utilities.Requires-Python: >=3.7.License-File: LICENSE.Provides-Extra: certs.Provides-Extra: docs.Requi

C:\Users\user\AppData\Local\Temp\_MEI78482\setuptools-65.5.0.dist-info\RECORD

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	37694
Entropy (8bit):	5.555787611309118
Encrypted:	false
SSDEEP:	384:vSzcBlShgRUhbul9nXJkpIVh498WjXYH0+5+E/8mrnaDoaQP7IOQRJqxBPgof2yd:vc853yQXYAY8AKCT9r2/GsIVxE9Im
MD5:	087F72A04BB085627494651E36C4C513
SHA1:	1E39070E246F91D8926268A033C6F584E629E2DE
SHA-256:	BFB77A968E06417BD37023BF1A2D7F1AAE9D8E74231665D6699D5BB82BDBD7B0
SHA-512:	39CE042A20324C6B63A192D70E56B36318C45D04B810A6BD333D1D40B6DAAD947AFB9156C003BC86C700A59F0F25753416D754DA06C808814920F92582CB6058
Malicious:	false
Preview:	_distutils_hack/__init__.py,sha256=TSekhUW1fdE3rjU3b88ybSBkJxCEpIeWBob4cEuU3ko,6128.._distutils_hack/__pycache__/__init__.cpython-311.pyc,,.._distutils_hack/__pycache__/override.cpython-311.pyc,,.._distutils_hack/override.py,sha256=Eu_s-NF6VIZ4Cqd0tbbA5wtWky2IZPNd8et6GLt1mzo,44..distutils-precedence.pth,sha256=JjjOniUA5XKl4N5_rtZmHrVp0baW_LoHsN0iPaX10iQ,151..pkg_resources/__init__.py,sha256=fT5Y3P1tcSX8sJomClUU10WHeFmvqyNZM4UZHzdpAvg,108568..pkg_resources/__pycache__/__init__.cpython-311.pyc,,..pkg_resources/_vendor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..pkg_resources/_vendor/__pycache__/__init__.cpython-311.pyc,,..pkg_resources/_vendor/__pycache__/appdirs.cpython-311.pyc,,..pkg_resources/_vendor/__pycache__/zipp.cpython-311.pyc,,..pkg_resources/_vendor/appdirs.py,sha256=MievUEuv3l_mQISH5SF0shDk_BNhHHzYiAPrT3ITN4I,24701..pkg_resources/_vendor/importlib_resources/__init__.py,sha256=evPm12kLgYqTm-pbzm60bOuumumT8IpBNWFp0uMyrzE,506..pkg_resources/_vendor/importli

C:\Users\user\AppData\Local\Temp\_MEI78482\setuptools-65.5.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.820827594031884
Encrypted:	false
SSDEEP:	3:RtEeX7MWcSlViZHKRRP+tPCCfA5S:RtBMwlViojWBBf
MD5:	4D57030133E279CEB6A8236264823DFD
SHA1:	0FDC3988857C560E55D6C36DCC56EE21A51C196D
SHA-256:	1B5E87E00DC87A84269CEAD8578B9E6462928E18A95F1F3373C9EEF451A5BCC0
SHA-512:	CD98F2A416AC1B13BA82AF073D0819C0EA7C095079143CAB83037D48E9A5450D410DC5CF6B6CFF3F719544EDF1C5F0C7E32E87B746F1C04FE56FAFD614B39826
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: bdist_wheel (0.37.1).Root-Is-Purelib: true.Tag: py3-none-any..

C:\Users\user\AppData\Local\Temp\_MEI78482\setuptools-65.5.0.dist-info\entry_points.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	2740
Entropy (8bit):	4.540737240939103
Encrypted:	false
SSDEEP:	48:lELcZDy3g6ySDsm90rZh2Phv4hhpTqTog:yLAP8arZoP94hTTqcg
MD5:	D3262B65DB35BFFAAC248075345A266C
SHA1:	93AD6FE5A696252B9DEF334D182432CDA2237D1D
SHA-256:	DEC880BB89189B5C9B1491C9EE8A2AA57E53016EF41A2B69F5D71D1C2FBB0453
SHA-512:	1726750B22A645F5537C20ADDF23E3D3BAD851CD4BDBA0F9666F9F6B0DC848F9919D7AF8AD8847BD4F18D0F8585DDE51AFBAE6A4CAD75008C3210D17241E0291
Malicious:	false
Preview:	[distutils.commands].alias = setuptools.command.alias:alias.bdist_egg = setuptools.command.bdist_egg:bdist_egg.bdist_rpm = setuptools.command.bdist_rpm:bdist_rpm.build = setuptools.command.build:build.build_clib = setuptools.command.build_clib:build_clib.build_ext = setuptools.command.build_ext:build_ext.build_py = setuptools.command.build_py:build_py.develop = setuptools.command.develop:develop.dist_info = setuptools.command.dist_info:dist_info.easy_install = setuptools.command.easy_install:easy_install.editable_wheel = setuptools.command.editable_wheel:editable_wheel.egg_info = setuptools.command.egg_info:egg_info.install = setuptools.command.install:install.install_egg_info = setuptools.command.install_egg_info:install_egg_info.install_lib = setuptools.command.install_lib:install_lib.install_scripts = setuptools.command.install_scripts:install_scripts.rotate = setuptools.command.rotate:rotate.saveopts = setuptools.command.saveopts:saveopts.sdist = setuptools.command.sdist:sdist.seto

C:\Users\user\AppData\Local\Temp\_MEI78482\setuptools-65.5.0.dist-info\top_level.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	41
Entropy (8bit):	3.9115956018096876
Encrypted:	false
SSDEEP:	3:3Wd+Nt8AfQYv:3Wd+Nttv
MD5:	789A691C859DEA4BB010D18728BAD148
SHA1:	AEF2CBCCC6A9A8F43E4E150E7FCF1D7B03F0E249
SHA-256:	77DC8BDFDBFF5BBAA62830D21FAB13E1B1348FF2ECD4CDCFD7AD4E1A076C9B88
SHA-512:	BC2F7CAAD486EB056CB9F68E6C040D448788C3210FF028397CD9AF1277D0051746CAE58EB172F9E73EA731A65B2076C6091C10BCB54D911A7B09767AA6279EF6
Malicious:	false
Preview:	_distutils_hack.pkg_resources.setuptools.

C:\Users\user\AppData\Local\Temp\_MEI78482\sqlite3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1504024
Entropy (8bit):	6.578984314535122
Encrypted:	false
SSDEEP:	24576:M5WQyUuqjJVKMXijWRwtHHofIyEcL/2m75i5zxHWc9C08lYfore60b:Mb0yVKMyjWR6nofQm7U59HWKYYD
MD5:	256224CC25D085663D4954BE6CC8C5B5
SHA1:	9931CC156642E2259DFABF0154FDDF50D86E9334
SHA-256:	5AC6EE18CDCA84C078B66055F5E9FFC6F8502E22EAF0FA54AEEC92B75A3C463E
SHA-512:	A28ABF03199F0CE9F044329F7EBA2F1D8ECBC43674337AAFBF173F567158BA9046036DA91DC3E12C2BB1D7842953526EDBA14BC03F81ECE63DCEDCC9413213A7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W..W..W..^.P.[....U....Z...._.....S.....T..W........V.....V....<.V......V..RichW..........................PE..d......e.........." ...#..................................................................`.........................................Px...".............................../...........*..T............................(..@...............8............................text............................... ..`.rdata..............................@..@.data...PG.......>..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\ucrtbase.dll

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1016584
Entropy (8bit):	6.669319438805479
Encrypted:	false
SSDEEP:	24576:VkmZDEMHhp9v1Ikbn3ND0TNVOsIut8P4zmxvSZX0yplkA:mmZFHhp9v1Io3h0TN3pvkA
MD5:	0E0BAC3D1DCC1833EAE4E3E4CF83C4EF
SHA1:	4189F4459C54E69C6D3155A82524BDA7549A75A6
SHA-256:	8A91052EF261B5FBF3223AE9CE789AF73DFE1E9B0BA5BDBC4D564870A24F2BAE
SHA-512:	A45946E3971816F66DD7EA3788AACC384A9E95011500B458212DC104741315B85659E0D56A41570731D338BDF182141C093D3CED222C007038583CEB808E26FD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W..l9F.l9F.l9F...F.l9F.l8F.l9F...F.l9F..9G.l9F..:G.l9F..<G.l9F..7G.n9F..=G.l9F...F.l9F..;G.l9FRich.l9F........PE..d.....}X.........." .........`............................................................`A................................................p......................F...=......p...PX..T............................'...............O...............................text............................... ..`.rdata..<u.......v..................@..@.data....$...........r..............@....pdata.............................@..@.rsrc................4..............@..@.reloc..p............:..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\unicodedata.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1141016
Entropy (8bit):	5.435201566416684
Encrypted:	false
SSDEEP:	12288:C3kYbfjwR6nbVonRiPDjRrO5184EPYPx++ZiLKGZ5KXyVH4eD1Ji:CUYbM40IDJcjEwPgPOG6Xyd461Ji
MD5:	57F8F40CF955561A5044DDFFA4F2E144
SHA1:	19218025BCAE076529E49DDE8C74F12E1B779279
SHA-256:	1A965C1904DA88989468852FDC749B520CCE46617B9190163C8DF19345B59560
SHA-512:	DB2A7A32E0B5BF0684A8C4D57A1D7DF411D8EB1BC3828F44C95235DD3AF40E50A198427350161DFF2E79C07A82EF98E1536E0E013030A15BDF1116154F1D8338
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4m..4m..4m..=...2m......6m......9m......<m......7m......7m......6m..4m..em......5m......5m....j.5m......5m..Rich4m..................PE..d......e.........." ...#.@..........P*...............................................~....`.............................................X............`.......P..0....:.../...p.......]..T............................[..@............P..x............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..0....P.......&..............@..@.rsrc........`......................@..@.reloc.......p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\win32\_win32sysloader.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.113812591033072
Encrypted:	false
SSDEEP:	192:rCm72PEO1jIUs0YqEcPbF55UgCWV4rofnDPdRD0hvHvcqvn7ycIt/G/:rardA0Bzx14r6nDrOhv+O/
MD5:	B58CA169FDCFFAB726391D3906DD9A4E
SHA1:	C4BB8DA84A5D9C31D0ACB7A4127F55E696F414DF
SHA-256:	1A8DCDBD730166889C03FAF285DC1DD9F16090DFE81043D80A9D6308300EBAC9
SHA-512:	AA23DEBF80D89A40677D1BF1C7C6C3445A79E76419865B86D0D6A605656478067EBEA2752348FCF77D583D2E5DCD284DA7F55F751D6441E647565DA77F982966
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Dg..%..%..%..]..%...P..%...]..%...P..%...P..%...P..%.....%..%..%..LP..%..LP..%..LP..%..Rich.%..................PE..d......g.........." ......................................................................`..........................................;..`...p;..d....p..t....`..................@...\|2..T............................2..8............0..p............................text............................... ..`.rdata..4....0......................@..@.data........P......................@....pdata.......`.......0..............@..@.rsrc...t....p.......4..............@..@.reloc..@............8..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\win32\win32api.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	133120
Entropy (8bit):	5.849201651779307
Encrypted:	false
SSDEEP:	3072:znvpE3JJ/Q7DspOCQUUU40Oc3lRVFhLaNzvBii7qQvmwCoY9LQPe:T4xG4pOCQUUU4rWlRVgv5qQSoY9
MD5:	D02300D803850C3B0681E16130FECEE4
SHA1:	6411815E2A908432A640719ECFE003B43BBBA35C
SHA-256:	B938C8CD68B15EC62F053045A764D8DD38162A75373B305B4CF1392AC05DF5F9
SHA-512:	6FAD1836614869AB3BB624BDA9943CEAF9E197B17CA4F4FFE78699492B72F95EEE02AE1BB07C0508438956BEF10CC1E656DDF75D0EDC9EF71A3860AF39075564
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..Vx...x...x...q...p.....\|.....p.....\|......z.......z.....o...3..s...x...-......z......y......y...Richx...........PE..d......g.........." .........................................................P............`.........................................P...............0..\....................@..X....v..T............................;..8............0.........@....................text............................... ..`.rdata..b....0......................@..@.data...X(......."..................@....pdata..............................@..@.rsrc...\....0......................@..@.reloc..X....@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\win32\win32trace.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.281874510289411
Encrypted:	false
SSDEEP:	384:9eeH8ZmV+zknwMswDuVQO0T8DmMel2/QEVR7AWCq5yn9ukF1B3:N+zi/uVQ1Q/QEVR1NUpB
MD5:	965E9833F4CD7A45C2C1EE85EFC2DA3B
SHA1:	3C6888194AD30E17DC5EEA7418133A541BCDDF07
SHA-256:	5ECD0274DC220312824BB3086B3E129E38A9DCB06913A2F6173A94DC256BF4C5
SHA-512:	F8C4E0C82A8229B3BDB897B536EE73B5D2A9A2810B73DCC77C880961A9A16E43746234A108A9A15BF18638FCFB3086E0F5EEFD85D5BF6F799718DC6F199C4A26
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(U.wF..wF..wF......wF...G..wF...C..wF...B..wF...E..wF.D.G..wF...G..wF...G..wF..wG..wF.D.O..wF.D.F..wF.D.D..wF.Rich.wF.................PE..d......g.........." .....,...,.......(....................................................`......................................... Q..T...tQ..........d....p.......................G..T...........................0H..8............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...(....`.......L..............@....pdata.......p.......R..............@..@.rsrc...d............V..............@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\win32com\shell\shell.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	535040
Entropy (8bit):	6.1723495244729625
Encrypted:	false
SSDEEP:	12288:SBetHVSFgAXb3MWUF6w7FK3oHPl8eqTOU:SQkgAL3Md983C8eq
MD5:	43AA404015B0CEE369E941DC30B3F4B0
SHA1:	A34CBA0D08A17934D84B16FCFF5282367EAA08AA
SHA-256:	3FB83E9A14901321324F17D11DA50802B6777733E1EE0FD4F89DB0FD09C61690
SHA-512:	A8548F39F371B2389EEA45DA4248FFC015F5B243E957BD12B88661DB91D4D745A1CD1E772BDD6C739A87E69A88947FB58248BB394E1C5D21C0A9324EFC87724B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#t.wM'.wM'.wM'...'.wM'..L&.wM'..H&.wM'..I&.wM'..N&.wM'..I&.wM'..L&.wM'!.L&.wM'..K&.wM'..L&.wM'.wL'.wM'!.D&.wM'!.M&.wM'!.O&.wM'Rich.wM'........PE..d...}..g.........." .....2................................................................`.............................................L...<...........L....0..${..............h!......T...............................8............P..(............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data........P...`...(..............@....pdata..${...0...\|..................@..@.rsrc...L...........................@..@.reloc..h!......."..................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI78482\yarl\_quoting_c.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	97280
Entropy (8bit):	5.965911733978745
Encrypted:	false
SSDEEP:	1536:xtuirzB429BT5WTY4yBRmWHdRfIIGrzf9NzeXzf2RUd:xtugP5y7uf9N81NzeDuRU
MD5:	1C6C610E5E2547981A2F14F240ACCF20
SHA1:	4A2438293D2F86761EF84CFDF99A6CA86604D0B8
SHA-256:	4A982FF53E006B462DDF7090749BC06EBB6E97578BE04169489D27E93F1D1804
SHA-512:	F6EA205A49BF586D7F3537D56B805D34584A4C2C7D75A81C53CE457A4A438590F6DBEDED324362BFE18B86FF5696673DE5FBE4C9759AD121B5E4C9AE2EF267C0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:m.]~...~...~...wt..z...n...\|...5t..\|...n...}...n...v...n...r.......}...~.......5.......5.......5.g.....5.......Rich~...........................PE..d....."g.........." ...)............P.....................................................`..........................................Y..d....Z..x...............................,....G...............................F..@............ ...............................text............................... ..`.rdata...N... ...P..................@..@.data...P7...p.......`..............@....pdata...............l..............@..@.rsrc................x..............@..@.reloc..,............z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gen_py\3.11\init.py

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	176
Entropy (8bit):	4.713840781302666
Encrypted:	false
SSDEEP:	3:S3yE25MOWrYXtHVE/DRFrgm5/gvJgXDLAUDA+ERo6+aEYqVS1f6gq1WGgVSBn:S3mSOWWHVUDjrgmxgRgzLXDA6Va8VeuR
MD5:	8C7CA775CF482C6027B4A2D3DB0F6A31
SHA1:	E3596A87DD6E81BA7CF43B0E8E80DA5BC823EA1A
SHA-256:	52C72CF96B12AE74D84F6C049775DA045FAE47C007DC834CA4DAC607B6F518EA
SHA-512:	19C7D229723249885B125121B3CC86E8C571360C1FB7F2AF92B251E6354A297B4C2B9A28E708F2394CA58C35B20987F8B65D9BD6543370F063BBD59DB4A186AC
Malicious:	false
Preview:	# Generated file - this directory may be deleted to reset the COM cache.....import win32com..if __path__[:-1] != win32com.__gen_path__: __path__.append(win32com.__gen_path__)..

C:\Users\user\AppData\Local\Temp\gen_py\3.11\dicts.dat

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	data
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.7219280948873625
Encrypted:	false
SSDEEP:	3:qW6:qW6
MD5:	2C7344F3031A5107275CE84AED227411
SHA1:	68ACAD72A154CBE8B2D597655FF84FD31D57C43B
SHA-256:	83CDA9FECC9C008B22C0C8E58CBCBFA577A3EF8EE9B2F983ED4A8659596D5C11
SHA-512:	F58362C70A2017875D231831AE5868DF22D0017B00098A28AACB5753432E8C4267AA7CBF6C5680FEB2DC9B7ABADE5654C3651685167CC26AA208A9EB71528BB6
Malicious:	false
Preview:	..K....}..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe

Download File

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	26241148
Entropy (8bit):	7.997562044271756
Encrypted:	true
SSDEEP:	786432:i9YiJVl8ZMj3hr8AW+e5RP96R+c+U4VdF5Kd:i98a3hr8AW+eHPgR6U4VdXKd
MD5:	A0044986EEC99F4B05358F1457BE6EE8
SHA1:	BED5076D966B94C942487FD04E7074E861235BA2
SHA-256:	24C7C6CC3124B20C717AC485E263193E351F0AB2E672B353B38688BA218BDA9A
SHA-512:	3DDB80BB5957CF514180692550FC5E3A916CB75D0CB99433924399F8185C0466EAF5DEB6C77CB92DAEE3E9EEC251A4479DFDF7968BD55BB47645A24D596860C3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n=..\.Z\.Z\.Za$.[-\.Za$.[.\.Za$.[ \.Z:..Z)\.Z:..[#\.Z:..[;\.Z:..[.\.Za$.[!\.Z\.Z.\.Zb..[3\.Zb..[+\.ZRich\.Z........PE..d.....1g.........."....).....\.................@....................................34....`.................................................\...x....p.......@..P"...........p..d...................................@...@............................................text............................... ..`.rdata..P.......,..................@..@.data....S..........................@....pdata..P"...@...$..................@..@.rsrc........p......................@..@.reloc..d....p......................@..B........................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.997562044271756
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payload.exe
File size:	26'241'148 bytes
MD5:	a0044986eec99f4b05358f1457be6ee8
SHA1:	bed5076d966b94c942487fd04e7074e861235ba2
SHA256:	24c7c6cc3124b20c717ac485e263193e351f0ab2e672b353b38688ba218bda9a
SHA512:	3ddb80bb5957cf514180692550fc5e3a916cb75d0cb99433924399f8185c0466eaf5deb6c77cb92daee3e9eec251a4479dfdf7968bd55bb47645a24d596860c3
SSDEEP:	786432:i9YiJVl8ZMj3hr8AW+e5RP96R+c+U4VdF5Kd:i98a3hr8AW+eHPgR6U4VdXKd
TLSH:	9047339952E90CD2ECF5413AC22AC109BB32FE656BD0D54F9BF988471FA72D01D39E81
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n=..\.Z\.Z\.Za$.[-\.Za$.[.\.Za$.[ \.Z:..Z)\.Z:..[#\.Z:..[;\.Z:..[.\.Za$.[!\.Z\.Z.\.Zb..[3\.Zb..[+\.ZRich*\.Z........PE..d..

File Icon


Icon Hash:	4a464cd47461e179

Static PE Info

General

Entrypoint:	0x14000cdb0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6731F8C8 [Mon Nov 11 12:30:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F370471A62Ch
dec eax
add esp, 28h
jmp 00007F370471A24Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F370471A9F8h
test eax, eax
je 00007F370471A3F3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F370471A3D7h
dec eax
cmp ecx, eax
je 00007F370471A3E6h
xor eax, eax
dec eax
cmpxchg dword ptr [0003577Ch], ecx
jne 00007F370471A3C0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F370471A3C9h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F370471A3D9h
mov byte ptr [00035765h], 00000001h
call 00007F3704719B25h
call 00007F370471AE10h
test al, al
jne 00007F370471A3D6h
xor al, al
jmp 00007F370471A3E6h
call 00007F370472792Fh
test al, al
jne 00007F370471A3DBh
xor ecx, ecx
call 00007F370471AE20h
jmp 00007F370471A3BCh
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0003572Ch], 00000000h
mov ebx, ecx
jne 00007F370471A439h
cmp ecx, 01h
jnbe 00007F370471A43Ch
call 00007F370471A96Eh
test eax, eax
je 00007F370471A3FAh
test ebx, ebx
jne 00007F370471A3F6h
dec eax
lea ecx, dword ptr [00035716h]
call 00007F3704727722h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca5c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0xf41c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2250	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x57000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f00	0x2a000	2a7ae207b6295492e9da088072661752	False	0.5514439174107143	data	6.487454925709845	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a50	0x12c00	e341dab10b74e3767c73397449a4fdad	False	0.5244661458333333	data	5.752660729211676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2250	0x2400	f5559f14427a02f0a5dbd0dd026cae54	False	0.470703125	data	5.291665041994019	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0xf41c	0xf600	455788c285fcfdcb4008bc77e762818a	False	0.803099593495935	data	7.5549760623589695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x57000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x47208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.585820895522388
RT_ICON	0x480b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7360108303249098
RT_ICON	0x48958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.755057803468208
RT_ICON	0x48ec0	0x952c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9975384937676757
RT_ICON	0x523ec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.3887966804979253
RT_ICON	0x54994	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.49530956848030017
RT_ICON	0x55a3c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.7207446808510638
RT_GROUP_ICON	0x55ea4	0x68	data	0.7019230769230769
RT_MANIFEST	0x55f0c	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-13T15:46:04.571981+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.7	49737	TCP
2024-11-13T15:46:45.956971+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.7	51529	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2024 15:46:00.434834003 CET	49731	443	192.168.2.7	104.26.12.205
Nov 13, 2024 15:46:00.434864998 CET	443	49731	104.26.12.205	192.168.2.7
Nov 13, 2024 15:46:00.434942961 CET	49731	443	192.168.2.7	104.26.12.205
Nov 13, 2024 15:46:00.436090946 CET	49731	443	192.168.2.7	104.26.12.205
Nov 13, 2024 15:46:00.436104059 CET	443	49731	104.26.12.205	192.168.2.7
Nov 13, 2024 15:46:01.040659904 CET	443	49731	104.26.12.205	192.168.2.7
Nov 13, 2024 15:46:01.041449070 CET	49731	443	192.168.2.7	104.26.12.205
Nov 13, 2024 15:46:01.041475058 CET	443	49731	104.26.12.205	192.168.2.7
Nov 13, 2024 15:46:01.042618990 CET	443	49731	104.26.12.205	192.168.2.7
Nov 13, 2024 15:46:01.042685986 CET	49731	443	192.168.2.7	104.26.12.205
Nov 13, 2024 15:46:01.045643091 CET	49731	443	192.168.2.7	104.26.12.205
Nov 13, 2024 15:46:01.045783043 CET	49731	443	192.168.2.7	104.26.12.205
Nov 13, 2024 15:46:23.347151041 CET	51424	443	192.168.2.7	104.26.12.205
Nov 13, 2024 15:46:23.347192049 CET	443	51424	104.26.12.205	192.168.2.7
Nov 13, 2024 15:46:23.347259998 CET	51424	443	192.168.2.7	104.26.12.205
Nov 13, 2024 15:46:23.348004103 CET	51424	443	192.168.2.7	104.26.12.205
Nov 13, 2024 15:46:23.348020077 CET	443	51424	104.26.12.205	192.168.2.7
Nov 13, 2024 15:46:23.970057011 CET	443	51424	104.26.12.205	192.168.2.7
Nov 13, 2024 15:46:23.970695972 CET	51424	443	192.168.2.7	104.26.12.205
Nov 13, 2024 15:46:23.970712900 CET	443	51424	104.26.12.205	192.168.2.7
Nov 13, 2024 15:46:23.972170115 CET	443	51424	104.26.12.205	192.168.2.7
Nov 13, 2024 15:46:23.972242117 CET	51424	443	192.168.2.7	104.26.12.205
Nov 13, 2024 15:46:23.973948956 CET	51424	443	192.168.2.7	104.26.12.205
Nov 13, 2024 15:46:23.974128008 CET	443	51424	104.26.12.205	192.168.2.7
Nov 13, 2024 15:46:23.974178076 CET	51424	443	192.168.2.7	104.26.12.205
Nov 13, 2024 15:46:23.974178076 CET	51424	443	192.168.2.7	104.26.12.205

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2024 15:46:00.418028116 CET	54140	53	192.168.2.7	1.1.1.1
Nov 13, 2024 15:46:00.431246996 CET	53	54140	1.1.1.1	192.168.2.7
Nov 13, 2024 15:46:07.363508940 CET	53	56647	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 13, 2024 15:46:00.418028116 CET	192.168.2.7	1.1.1.1	0x9427	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 13, 2024 15:46:00.431246996 CET	1.1.1.1	192.168.2.7	0x9427	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 13, 2024 15:46:00.431246996 CET	1.1.1.1	192.168.2.7	0x9427	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 13, 2024 15:46:00.431246996 CET	1.1.1.1	192.168.2.7	0x9427	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false

Target ID:	4
Start time:	09:45:44
Start date:	13/11/2024
Path:	C:\Users\user\Desktop\Payload.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Payload.exe"
Imagebase:	0x7ff698810000
File size:	26'241'148 bytes
MD5 hash:	A0044986EEC99F4B05358F1457BE6EE8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	09:45:49
Start date:	13/11/2024
Path:	C:\Users\user\Desktop\Payload.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Payload.exe"
Imagebase:	0x7ff698810000
File size:	26'241'148 bytes
MD5 hash:	A0044986EEC99F4B05358F1457BE6EE8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XLABBGrabber, Description: Yara detected XLABB Grabber, Source: 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BLXStealer, Description: Yara detected BLX Stealer, Source: 00000008.00000002.2545897152.0000020816500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	09:45:51
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff648580000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:45:51
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:45:58
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff648580000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 7556, Parent PID: 7548

General

Target ID:	12
Start time:	09:45:58
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:45:58
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Imagebase:	0x7ff648580000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:45:58
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:45:58
Start date:	13/11/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Imagebase:	0x7ff76f320000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:23:01
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe"
Imagebase:	0x7ff74db40000
File size:	26'241'148 bytes
MD5 hash:	A0044986EEC99F4B05358F1457BE6EE8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	11:23:05
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe"
Imagebase:	0x7ff74db40000
File size:	26'241'148 bytes
MD5 hash:	A0044986EEC99F4B05358F1457BE6EE8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XLABBGrabber, Description: Yara detected XLABB Grabber, Source: 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BLXStealer, Description: Yara detected BLX Stealer, Source: 00000012.00000002.2545756922.000002298AB40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	11:23:09
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff648580000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:23:09
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:23:13
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff648580000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:23:13
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:23:13
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Imagebase:	0x7ff648580000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:23:13
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:23:13
Start date:	13/11/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Imagebase:	0x7ff76f320000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	38

Executed Functions

Function 00007FF6988189E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF698819390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6988145F4,00000000,00007FF698811985), ref: 00007FF6988193C9

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF698813F7F), ref: 00007FF698818A3B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF698813F7F), ref: 00007FF698818A56

Part of subcall function 00007FF69882A47C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69882A490

Part of subcall function 00007FF69882871C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698828783

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF698813F7F), ref: 00007FF698818AE6
CreateProcessW.KERNELBASE ref: 00007FF698818B1E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF698813F7F), ref: 00007FF698818B28

Part of subcall function 00007FF698812C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF698813706,?,00007FF698813804), ref: 00007FF698812C9E
Part of subcall function 00007FF698812C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF698813706,?,00007FF698813804), ref: 00007FF698812D63
Part of subcall function 00007FF698812C50: MessageBoxW.USER32 ref: 00007FF698812D99

RegisterClassW.USER32 ref: 00007FF698818B80
GetLastError.KERNEL32(?,FFFFFFFF,00007FF698813F7F), ref: 00007FF698818B8B
CreateWindowExW.USER32 ref: 00007FF698818BD5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF698813F7F), ref: 00007FF698818BE7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF698813F7F), ref: 00007FF698818C02
GetLastError.KERNEL32(?,FFFFFFFF,00007FF698813F7F), ref: 00007FF698818C15
PeekMessageW.USER32 ref: 00007FF698818C39
TranslateMessage.USER32 ref: 00007FF698818C47
DispatchMessageW.USER32(?,FFFFFFFF,00007FF698813F7F), ref: 00007FF698818C51
PeekMessageW.USER32 ref: 00007FF698818C6C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF698813F7F), ref: 00007FF698818C7E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF698813F7F), ref: 00007FF698818C99
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF698813F7F), ref: 00007FF698818CAF
GetLastError.KERNEL32(?,FFFFFFFF,00007FF698813F7F), ref: 00007FF698818CB9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF698813F7F), ref: 00007FF698818CC7
DestroyWindow.USER32(?,FFFFFFFF,00007FF698813F7F), ref: 00007FF698818E04
GetExitCodeProcess.KERNEL32 ref: 00007FF698818E19
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF698813F7F), ref: 00007FF698818E22
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF698813F7F), ref: 00007FF698818E2F

Strings

PyInstallerOnefileHiddenWindow, xrefs: 00007FF698818B54
CreateProcessW, xrefs: 00007FF698818B37
PyInstaller Onefile Hidden Window, xrefs: 00007FF698818B95
Failed to create child process!, xrefs: 00007FF698818B30

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction ID: 8768f89f08fae99524edde8d3e00becc4ea976104bdecac77fd5ed165f140101
Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction Fuzzy Hash: 67D19572A08B8286EB209F34E9552AD3764FF84B58F800276EE5DC3AA5DF3CD545C718

Function 00007FF698811000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to load splash screen resources!, xrefs: 00007FF698813E85
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF698813D35
pyi-python-flag, xrefs: 00007FF698813AD6
_PYI_SPLASH_IPC, xrefs: 00007FF698813A23, 00007FF698813EF5
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF698813B32
Py_GIL_DISABLED, xrefs: 00007FF698813AF4
pyi-runtime-tmpdir, xrefs: 00007FF698813B68
VCRUNTIME140.dll, xrefs: 00007FF698813DB1
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF698813882, 00007FF6988138AF
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF698813A17, 00007FF698813A2F, 00007FF698813A9B
_PYI_ARCHIVE_FILE, xrefs: 00007FF6988138D2, 00007FF6988139FF
Could not create temporary directory!, xrefs: 00007FF698813CBF
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF698813971
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF698813C61
Failed to start splash screen!, xrefs: 00007FF698813ED4
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF698813E0A
Failed to convert DLL search path!, xrefs: 00007FF698813DDC
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF698813EA6
pyi-contents-directory, xrefs: 00007FF698813B8D
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF698813EBB
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF698813D12
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6988139DE
pkg, xrefs: 00007FF6988139BE
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF698813BE8
MEI, xrefs: 00007FF698813933
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF698813A0B, 00007FF698813CD4, 00007FF698813F6B
Failed to remove temporary directory: %s, xrefs: 00007FF698813FCF
pyi-disable-windowed-traceback, xrefs: 00007FF698813BB2

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: 9de477ae995940a39e23314e20718922418974b9c8241bfba060ee61ec72f349
Instruction ID: 4280c17f795015f707d91ba18a97d1c1327b72ca14284467ec2506408cd42c5a
Opcode Fuzzy Hash: 9de477ae995940a39e23314e20718922418974b9c8241bfba060ee61ec72f349
Instruction Fuzzy Hash: 5F329C61A0C68291FA39DB30D7553B96761EF44780FC440BADA6DC36C6EF2CE959C328

Function 00007FF698835C00 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF698835C45

Part of subcall function 00007FF698835598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6988355AC

Part of subcall function 00007FF69882A948: RtlFreeHeap.NTDLL(?,?,?,00007FF698832D22,?,?,?,00007FF698832D5F,?,?,00000000,00007FF698833225,?,?,?,00007FF698833157), ref: 00007FF69882A95E
Part of subcall function 00007FF69882A948: GetLastError.KERNEL32(?,?,?,00007FF698832D22,?,?,?,00007FF698832D5F,?,?,00000000,00007FF698833225,?,?,?,00007FF698833157), ref: 00007FF69882A968

Part of subcall function 00007FF69882A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF69882A8DF,?,?,?,?,?,00007FF69882A7CA), ref: 00007FF69882A909
Part of subcall function 00007FF69882A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF69882A8DF,?,?,?,?,?,00007FF69882A7CA), ref: 00007FF69882A92E

_get_daylight.LIBCMT ref: 00007FF698835C34

Part of subcall function 00007FF6988355F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69883560C

_get_daylight.LIBCMT ref: 00007FF698835EAA
_get_daylight.LIBCMT ref: 00007FF698835EBB
_get_daylight.LIBCMT ref: 00007FF698835ECC
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF69883610C), ref: 00007FF698835EF3

Strings

Eastern Summer Time, xrefs: 00007FF698835FB1
Eastern Standard Time, xrefs: 00007FF698835F99

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction ID: 6cf8cf743b263785518ddd497305f8e986d9ac35362b828cd396cbad772e12cd
Opcode Fuzzy Hash: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction Fuzzy Hash: 71D1E322B0864246E730EF36D6415B96761FF84B94FC481B7EA0DC7A96DF3CE8418768

Function 00007FF698836964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF698836698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6988366D9
Part of subcall function 00007FF698836698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698836757
Part of subcall function 00007FF698836698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6988367A8

CreateFileW.KERNELBASE ref: 00007FF698836A6A
CreateFileW.KERNEL32 ref: 00007FF698836ABA
GetLastError.KERNEL32 ref: 00007FF698836AEA
GetFileType.KERNELBASE ref: 00007FF698836AFF
GetLastError.KERNEL32 ref: 00007FF698836B09
CloseHandle.KERNEL32 ref: 00007FF698836B3C
CloseHandle.KERNEL32 ref: 00007FF698836C9F
CreateFileW.KERNEL32 ref: 00007FF698836CD4
GetLastError.KERNEL32 ref: 00007FF698836CE3

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: 26226ba1d2418ae19d7d367596cfedbb1815d030458240a6a16bec5b423370d6
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: C9C1D476B28A4185EB24CF79C6902AC3761FB49BA8B811276DE1E977D4CF3CD452C314

Function 00007FF698835E7C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF698835EAA

Part of subcall function 00007FF6988355F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69883560C

_get_daylight.LIBCMT ref: 00007FF698835EBB

Part of subcall function 00007FF698835598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6988355AC

_get_daylight.LIBCMT ref: 00007FF698835ECC

Part of subcall function 00007FF6988355C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6988355DC

Part of subcall function 00007FF69882A948: RtlFreeHeap.NTDLL(?,?,?,00007FF698832D22,?,?,?,00007FF698832D5F,?,?,00000000,00007FF698833225,?,?,?,00007FF698833157), ref: 00007FF69882A95E
Part of subcall function 00007FF69882A948: GetLastError.KERNEL32(?,?,?,00007FF698832D22,?,?,?,00007FF698832D5F,?,?,00000000,00007FF698833225,?,?,?,00007FF698833157), ref: 00007FF69882A968

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF69883610C), ref: 00007FF698835EF3

Strings

Eastern Summer Time, xrefs: 00007FF698835FB1
Eastern Standard Time, xrefs: 00007FF698835F99

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction ID: ef0071557b77233d84558f00d21d4f6deffb955e669e193092d6c6572881ccb3
Opcode Fuzzy Hash: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction Fuzzy Hash: 02517332A1864286E730DF35D6815A96761FF48784FC041BAEA4EC7A96DF3CE8018768

Function 00007FF698819280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF6988192B3
FindClose.KERNELBASE ref: 00007FF6988192C2

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: ddff5973ea6b33d66c89ba01e36ccf27e0ca8687f9b7e67b3c77150880298f04
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: BEF0C822A1874186F7B08B74F9887AA7350FB84324F840735D97D82AD4DF7CD048CA08

Function 00007FF698811950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF698817F90: _fread_nolock.LIBCMT ref: 00007FF69881803A

_fread_nolock.LIBCMT ref: 00007FF698811A1B

Part of subcall function 00007FF698812910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF698811B6A), ref: 00007FF69881295E

Strings

Failed to read cookie!, xrefs: 00007FF698811A2B
Could not allocate memory for archive structure!, xrefs: 00007FF698811A61
fseek, xrefs: 00007FF6988119F5
MEI, xrefs: 00007FF698811991
calloc, xrefs: 00007FF698811A68
malloc, xrefs: 00007FF698811B22
Error on file., xrefs: 00007FF698811B8D
Could not allocate buffer for TOC!, xrefs: 00007FF698811B1B
fread, xrefs: 00007FF698811A32, 00007FF698811B5C
Failed to seek to cookie position!, xrefs: 00007FF6988119EE
Could not read full TOC!, xrefs: 00007FF698811B55

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: ed5d37bd12c92faad5b6bf746ee66ab535d4fcd70a2e81ebf99a2f5a44e873f3
Instruction ID: f9a33e1feb2fd033e9059db8300639be821e28563b988a972ab9653916c6be6c
Opcode Fuzzy Hash: ed5d37bd12c92faad5b6bf746ee66ab535d4fcd70a2e81ebf99a2f5a44e873f3
Instruction Fuzzy Hash: A881C675B0DA8686EB30DB34D2406F92390EF84784FC05472E99DC778ADE3CE5858768

Function 00007FF698811600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to open target file!, xrefs: 00007FF69881165C
Failed to create symbolic link %s!, xrefs: 00007FF698811622
fopen, xrefs: 00007FF698811663
fseek, xrefs: 00007FF6988116E1
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6988117DF
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF698811742
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6988116A2
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6988117CA
fwrite, xrefs: 00007FF6988117D1
malloc, xrefs: 00007FF698811749
fread, xrefs: 00007FF6988117E6
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6988116DA

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 20e17bd6c553c2d1bb16f42c1bd2daa45422ba949397fd2f79efb246dcdc4b64
Instruction ID: d199845e806504708b63871bbbf85d75b4eff53ad1af988ac401459a56bb5713
Opcode Fuzzy Hash: 20e17bd6c553c2d1bb16f42c1bd2daa45422ba949397fd2f79efb246dcdc4b64
Instruction Fuzzy Hash: 07519065B0864792EA30EB3196005B96390FF84794FC455B2EE2CC7BD6EF3CE9458728

Function 00007FF698818660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF698813CBB), ref: 00007FF698818704
GetCurrentProcessId.KERNEL32(?,00000000,00007FF698813CBB), ref: 00007FF69881870A
CreateDirectoryW.KERNELBASE(?,00000000,00007FF698813CBB), ref: 00007FF69881874C

Part of subcall function 00007FF698818830: GetEnvironmentVariableW.KERNEL32(00007FF69881388E), ref: 00007FF698818867
Part of subcall function 00007FF698818830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF698818889

Part of subcall function 00007FF698828238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698828251

Part of subcall function 00007FF698812810: MessageBoxW.USER32 ref: 00007FF6988128EA

Strings

LOADER: failed to set the TMP environment variable., xrefs: 00007FF6988186DC
TMP, xrefs: 00007FF6988186C2
TMP, xrefs: 00007FF69881869C, 00007FF6988187A3
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF69881877E
_MEI%d, xrefs: 00007FF698818712

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction ID: e65e753b96011912bd05cb8ad584f34625dc9e641f01d07b1ded1a133667d6a0
Opcode Fuzzy Hash: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction Fuzzy Hash: 50418E11A1964244FA30EB35AB562BA1291EF857C4FC045B2ED2DC7BDADE3CE5038728

Function 00007FF698811210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6988112EF
1.3.1, xrefs: 00007FF698811249
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6988112BA
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF69881141E
malloc, xrefs: 00007FF6988112C1, 00007FF6988112F6
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF698811276

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: ef842027a1d970694cc0f789b50cc720652ec9763b74026d17365e7fd9a410f4
Instruction ID: bd516fbbba4d4358309bb4be44fbcebe1502822783f8984094e0a8730f6bbd21
Opcode Fuzzy Hash: ef842027a1d970694cc0f789b50cc720652ec9763b74026d17365e7fd9a410f4
Instruction Fuzzy Hash: 0B511826A0864285EA70DB31E6403BA6291FF84B94FC44175ED5DC7BC9EF3CE942C728

Function 00007FF6988136B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF698813804), ref: 00007FF6988136E1
GetLastError.KERNEL32(?,00007FF698813804), ref: 00007FF6988136EB

Part of subcall function 00007FF698812C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF698813706,?,00007FF698813804), ref: 00007FF698812C9E
Part of subcall function 00007FF698812C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF698813706,?,00007FF698813804), ref: 00007FF698812D63
Part of subcall function 00007FF698812C50: MessageBoxW.USER32 ref: 00007FF698812D99

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF698813790
\\?\, xrefs: 00007FF69881375A
Failed to resolve full path to executable %ls., xrefs: 00007FF698813739
GetModuleFileNameW, xrefs: 00007FF6988136FA
Failed to obtain executable path., xrefs: 00007FF6988136F3

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: 446c4032bb2c8d13c6f77325513025ec191d39068fdb2c74db9cb926548091fb
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: DB219261B1864281FA309734EA543F62351FF98398FC005B6E66EC39D5EF2CE505C328

Function 00007FF69882BA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69882BE89

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1c0df5e74df0118619baac061aee596465bcef498cfc928fc9eaa168a483e3b3
Instruction ID: 90bbb4a0dd664e453a9aa3597f989752f9e87bc45167babf0238c9b30c43a5b7
Opcode Fuzzy Hash: 1c0df5e74df0118619baac061aee596465bcef498cfc928fc9eaa168a483e3b3
Instruction Fuzzy Hash: 00C1E622A0D686D1E7719B3592402BD3798FF81BD0FD541B1EA4E83396CF7CE8468728

Function 00007FF698818570 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF698818590
OpenProcessToken.ADVAPI32 ref: 00007FF6988185A3
GetTokenInformation.KERNELBASE ref: 00007FF6988185C8
GetLastError.KERNEL32 ref: 00007FF6988185D2
GetTokenInformation.KERNELBASE ref: 00007FF698818612
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF69881862E
CloseHandle.KERNEL32 ref: 00007FF698818646

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction ID: a375de6b406c59e1d4d20b731c7f43455c3967b1b977d17d0bcccafd756b5355
Opcode Fuzzy Hash: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction Fuzzy Hash: 40215521A0C64241EA208B65B65522AA7A4EF857A0F900275EA7DC3BD4DE7CE4468714

Function 00007FF6988190E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF698818570: GetCurrentProcess.KERNEL32 ref: 00007FF698818590
Part of subcall function 00007FF698818570: OpenProcessToken.ADVAPI32 ref: 00007FF6988185A3
Part of subcall function 00007FF698818570: GetTokenInformation.KERNELBASE ref: 00007FF6988185C8
Part of subcall function 00007FF698818570: GetLastError.KERNEL32 ref: 00007FF6988185D2
Part of subcall function 00007FF698818570: GetTokenInformation.KERNELBASE ref: 00007FF698818612
Part of subcall function 00007FF698818570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF69881862E
Part of subcall function 00007FF698818570: CloseHandle.KERNEL32 ref: 00007FF698818646

LocalFree.KERNEL32(?,00007FF698813C55), ref: 00007FF69881916C
LocalFree.KERNEL32(?,00007FF698813C55), ref: 00007FF698819175

Strings

D:(A;;FA;;;%s), xrefs: 00007FF698819157
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF698819142
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF698819183
S-1-3-4, xrefs: 00007FF698819121

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction ID: b9c3d450afc11f56c6e5d4b02be5624d094075f5b475fd7858a3c0854f11ad09
Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction Fuzzy Hash: 28213221A0874281F720AB30EA553EA7265FF84780FC44476EA5DC3796DF3CD945C764

Function 00007FF698817E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(00000000,?,00007FF69881352C,?,00000000,00007FF698813F23), ref: 00007FF698817F32

Strings

%s%c, xrefs: 00007FF698817EA4
\, xrefs: 00007FF698817E97
%.*s, xrefs: 00007FF698817EEB

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
Instruction ID: 00484ce5574893074981a0438638a32cb075b0a9c5d5f6918b25720729732624
Opcode Fuzzy Hash: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
Instruction Fuzzy Hash: 8B31D261729AC545EA319B31EA507EA6394FF84BE0F800275EE7E87BC9DE2CD6018714

Function 00007FF69882CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF69882CF4B), ref: 00007FF69882D07C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF69882CF4B), ref: 00007FF69882D107

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction ID: 992a78ec463220a570ccb428d9f4e5ef4d50583de3684178291673ca71711ea2
Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction Fuzzy Hash: 3E91BE62E1865685F770DF7596402BD6AA0EB44BC8F9441B9DE0EE3A94CF3CE443C728

Function 00007FF69882F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF69882FA7C
_get_daylight.LIBCMT ref: 00007FF69882FA8D
_get_daylight.LIBCMT ref: 00007FF69882FA9E
_isindst.LIBCMT ref: 00007FF69882FB69

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: 5270318cfc24efb3d7287fe5e256977253d1c2dfa1fa265302251ba89fbc40f9
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: A051F173F042128AEB38DF749A616BC26A5EB443A8F900275DD1E96AE5DF3CA403C714

Function 00007FF69882577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF6988257AF
GetFileInformationByHandle.KERNELBASE ref: 00007FF698825811
GetLastError.KERNEL32 ref: 00007FF6988258A2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6988256B4), ref: 00007FF6988258EE

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: f2931e55a17fed7c801103cab28c1f7fd047901bf7fa79ea6702d423310ad099
Instruction ID: 8ed25a25b3047b9e8649dd0e0eb557b5f9b7445e9d0c036dc72a7c16a90cbfd2
Opcode Fuzzy Hash: f2931e55a17fed7c801103cab28c1f7fd047901bf7fa79ea6702d423310ad099
Instruction Fuzzy Hash: F7519B22E086418AFBB0CF71D6503BD27A1FB48B98F908435EE1D9B689DF7CD4428324

Function 00007FF698825628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698825655
CreateFileW.KERNELBASE ref: 00007FF698825694
CloseHandle.KERNEL32 ref: 00007FF6988256C9

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
Instruction ID: 876a4d216e73bc57d65d686cd0e336fd23a445dadb9df53ef0535b2787ba4d78
Opcode Fuzzy Hash: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
Instruction Fuzzy Hash: 7C41C222E5878183F7608B3096103797360FB947A4F908375EA9C83AD5DF7CA4E18724

Function 00007FF69881CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69881CE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF69881CE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF69881CC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF69881CCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF69881CD21

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: a98f593ef5a6c5afe46bcaa0bccfae7a6357be906c93d31ef3570f7af1f27261
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: F2315A21E4C24341FA74AB74DB953B91282EF41784FC454B5E92EC72D3DE6CA805C27D

Function 00007FF69882013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698820180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698820277

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: 7fea09f21f25048b3f3ff633af3c0792c64c2977c23cbc64722ef0031cc229cf
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: E1513821B29242C6F738DA36960467A6681FF84BE4F984775DD6DC37C6CF3CD4029628

Function 00007FF69882C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF69882C2CD), ref: 00007FF69882C180
GetLastError.KERNEL32(?,?,?,?,?,00007FF69882C2CD), ref: 00007FF69882C18A

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: 0dab18549605feaf175ea5f7ac05febaf0e6fa4f78421aafca074e5ae72d1337
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: 8B11B261608A8181DA30CB35AA141796362EB45FF4F944371EE7D877D9CF7CD4528714

Function 00007FF698825924 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF698825839), ref: 00007FF698825957
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF698825839), ref: 00007FF69882596D

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
Instruction ID: baecb31641baa73108a223af5ea28ed8d680995eec0c540b3d79548b8d0bc3cf
Opcode Fuzzy Hash: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
Instruction Fuzzy Hash: E311A37260C71282EB748B24F55107AB7A0FB847B1F900276FAADC59D8EF2CD815DB24

Function 00007FF69882A948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF698832D22,?,?,?,00007FF698832D5F,?,?,00000000,00007FF698833225,?,?,?,00007FF698833157), ref: 00007FF69882A95E
GetLastError.KERNEL32(?,?,?,00007FF698832D22,?,?,?,00007FF698832D5F,?,?,00000000,00007FF698833225,?,?,?,00007FF698833157), ref: 00007FF69882A968

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction ID: d49dcc89b00f18be24a1a40a644c028aaee82f6c4d9fdf72a7665442f769153b
Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction Fuzzy Hash: AFE08650F0960252FF355BF29A551381295EF84780FC400B5D81DC6291DD2C6C878738

Function 00007FF69882AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF69882A9D5,?,?,00000000,00007FF69882AA8A), ref: 00007FF69882ABC6
GetLastError.KERNEL32(?,?,?,00007FF69882A9D5,?,?,00000000,00007FF69882AA8A), ref: 00007FF69882ABD0

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: 36b048a5619d8e5ba8078d2f66dddcf86821e9461f632968e5540eda9d74ecaf
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: 39219611B1868251FEB46771975477D1282DF847E0F8442F9D92EC77D5CF6CA4438328

Function 00007FF69882BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69882BED4

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cbeb3b5568c01fe22c816fd393b22aefbfa64644ae8ce1fe3b0dc090283c3b2e
Instruction ID: 755d85f2ec99117e9cf7b1d345e30b80b7da48ff4cfa6fa9100dd96638b9cca7
Opcode Fuzzy Hash: cbeb3b5568c01fe22c816fd393b22aefbfa64644ae8ce1fe3b0dc090283c3b2e
Instruction Fuzzy Hash: DA41B132919242C7EA348A39A64027973A8EF557C0F940171DBCEC36D5CF3CE4038B64

Function 00007FF698817F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF69881803A

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: aaa7b9ff11bb4346a21cc87fb8eff4a238e48d36b47c5124ab7cd44ae98a1b97
Instruction ID: 829e6e34a88490aaf2f5824f5af58290f2707ec77243744e8fc0365c68ff7e6d
Opcode Fuzzy Hash: aaa7b9ff11bb4346a21cc87fb8eff4a238e48d36b47c5124ab7cd44ae98a1b97
Instruction Fuzzy Hash: 9921D321B1865646FA34AA326A053BAA751FF45FC4FC844B0EE1D87786CE7DE443C328

Function 00007FF69882B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69882B9C2

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction ID: 61c0e60914a8c0a722a39409b1ace7db4271f10fb9346df8e680d652ae7f4a61
Opcode Fuzzy Hash: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction Fuzzy Hash: 24317E22A1961285F6315B758A4137C2694FF80BE0FC101B5EA1D833D6DE7CA8438739

Function 00007FF698825F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698825EF9

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: bc7b475464af9362e7067a64fd02bf72329d954e8ac7a6f195d12b4201e31f20
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: CB117531A1C69181EAB0AF21960117DA2A4FF85BD4FC44571EA4CD7A9ACF3DD5028738

Function 00007FF698836354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698836377

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: aacaa9a51b98092d665e60885f63bd60372dbcdc32b84e77ecc104e9a1d05973
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: 5921C272A08A4286DB75CF2CD64037976A0FB84B94FA44235EA5DC76D9DF3CD8018B14

Function 00007FF6988203BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698820410

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 605d0b1c4d0a26be06999827874ce11b13982f0926c091fc23646865294c3c95
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 1D01C461A5874180EA24DF729A00079A691FF85FE4F8886B1EE5CD3BDACE3CD4038318

Function 00007FF69882EB98 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF69882B32A,?,?,?,00007FF698824F11,?,?,?,?,00007FF69882A48A), ref: 00007FF69882EBED

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction ID: cd5213e57450eba3db8863a222401326d2d12d6886c15291b770e6d5d321687e
Opcode Fuzzy Hash: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction Fuzzy Hash: FDF04954B0921341FE7966759A513B41284DF89BC0FC855B4DD0FE6AD3ED2CE482823C

Function 00007FF69882D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF698820C90,?,?,?,00007FF6988222FA,?,?,?,?,?,00007FF698823AE9), ref: 00007FF69882D63A

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: 45aab5d7d10a2d4548cbe1b6051fe971a492e062327d5017c5c88db8cac575a3
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: A0F05810B0820B81FE7517B15A0177416A0CF847E0FC807B0EC2EC62C2DE2CB48282B8

Non-executed Functions

Function 00007FF6988176C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6988176D7
GetLastError.KERNEL32 ref: 00007FF6988176E9
GetProcAddress.KERNEL32 ref: 00007FF698817725
GetLastError.KERNEL32 ref: 00007FF698817737
GetProcAddress.KERNEL32 ref: 00007FF698817750
GetLastError.KERNEL32 ref: 00007FF698817762
GetProcAddress.KERNEL32 ref: 00007FF69881777B
GetLastError.KERNEL32 ref: 00007FF69881778D
GetProcAddress.KERNEL32 ref: 00007FF6988177A9
GetLastError.KERNEL32 ref: 00007FF6988177BB
GetProcAddress.KERNEL32 ref: 00007FF6988177D7
GetLastError.KERNEL32 ref: 00007FF6988177E9
GetProcAddress.KERNEL32 ref: 00007FF698817805
GetLastError.KERNEL32 ref: 00007FF698817817
GetProcAddress.KERNEL32 ref: 00007FF698817833
GetLastError.KERNEL32 ref: 00007FF698817845
GetProcAddress.KERNEL32 ref: 00007FF698817861
GetLastError.KERNEL32 ref: 00007FF698817873

Strings

Tcl_DoOneEvent, xrefs: 00007FF698817771, 00007FF698817793
Tcl_CreateInterp, xrefs: 00007FF69881771B, 00007FF69881773D
Tcl_MutexFinalize, xrefs: 00007FF69881790F, 00007FF698817931
Tcl_MutexUnlock, xrefs: 00007FF6988178E1, 00007FF698817903
Tcl_NewByteArrayObj, xrefs: 00007FF698817B09, 00007FF698817B2B
Tk_Init, xrefs: 00007FF698817C79, 00007FF698817C9B
Tcl_Free, xrefs: 00007FF698817C4B, 00007FF698817C6D
Tcl_ThreadQueueEvent, xrefs: 00007FF6988179C7, 00007FF6988179E9
Tcl_ConditionNotify, xrefs: 00007FF69881796B, 00007FF69881798D
Tcl_DeleteInterp, xrefs: 00007FF6988177FB, 00007FF69881781D
Tcl_GetVar2, xrefs: 00007FF698817A23, 00007FF698817A45
Tcl_GetCurrentThread, xrefs: 00007FF698817857, 00007FF698817879
GetProcAddress, xrefs: 00007FF6988176FF
Tcl_Finalize, xrefs: 00007FF69881779F, 00007FF6988177C1
Failed to get address for %hs, xrefs: 00007FF6988176F8
Tcl_ThreadAlert, xrefs: 00007FF6988179F5, 00007FF698817A17
Tcl_EvalEx, xrefs: 00007FF698817BC1, 00007FF698817BE3
Tcl_CreateObjCommand, xrefs: 00007FF698817A7F, 00007FF698817AA1
Tcl_FindExecutable, xrefs: 00007FF698817746, 00007FF698817768
Tcl_GetObjResult, xrefs: 00007FF698817B65, 00007FF698817B87
Tcl_SetVar2Ex, xrefs: 00007FF698817B37, 00007FF698817B59
Tcl_SetVar2, xrefs: 00007FF698817A51, 00007FF698817A73
Tcl_NewStringObj, xrefs: 00007FF698817ADB, 00007FF698817AFD
Tk_GetNumMainWindows, xrefs: 00007FF698817CA7, 00007FF698817CC9
Tcl_MutexLock, xrefs: 00007FF6988178B3, 00007FF6988178D5
Tcl_ConditionFinalize, xrefs: 00007FF69881793D, 00007FF69881795F
Tcl_EvalObjv, xrefs: 00007FF698817BEF, 00007FF698817C11
Tcl_Init, xrefs: 00007FF6988176D0, 00007FF6988176EF
Tcl_FinalizeThread, xrefs: 00007FF6988177CD, 00007FF6988177EF
Tcl_ConditionWait, xrefs: 00007FF698817999, 00007FF6988179BB
Tcl_Alloc, xrefs: 00007FF698817C1D, 00007FF698817C3F
Tcl_GetString, xrefs: 00007FF698817AAD, 00007FF698817ACF
Tcl_JoinThread, xrefs: 00007FF698817885, 00007FF6988178A7
Tcl_CreateThread, xrefs: 00007FF698817829, 00007FF69881784B
Tcl_EvalFile, xrefs: 00007FF698817B93, 00007FF698817BB5

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction ID: 27066beeff57e56813158042078afb641db54302c3d531ad66752b239825ea9e
Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction Fuzzy Hash: 3502C564A0DB0791FA74AB75AB605B423A5EF04744FC410FAD82FD2264EF7CBD598238

Function 00007FF6988340AC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6988340FA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698834766
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6988348DC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698834B9A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698834DBA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698834FF7
memcpy_s.LIBCPMT ref: 00007FF6988350D2
memcpy_s.LIBCPMT ref: 00007FF69883517D
memcpy_s.LIBCPMT ref: 00007FF69883524C

Strings

1#INF, xrefs: 00007FF698834223
1#IND, xrefs: 00007FF6988341E7
1#QNAN, xrefs: 00007FF698834213
1#SNAN, xrefs: 00007FF69883420A

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction ID: 08f7a761d1c8a0506fcf681b57ae3ebcdd6d8fdbdace3547070084343181d55a
Opcode Fuzzy Hash: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction Fuzzy Hash: 0FB2D372E182928BEB758E74D6407FD37A1FB64388F905176DA0D97A88DF38AD00CB54

Function 00007FF6988183C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF698818919,00007FF698813FA5), ref: 00007FF69881842B
RemoveDirectoryW.KERNEL32(?,00007FF698818919,00007FF698813FA5), ref: 00007FF6988184AE
DeleteFileW.KERNEL32(?,00007FF698818919,00007FF698813FA5), ref: 00007FF6988184CD
FindNextFileW.KERNEL32(?,00007FF698818919,00007FF698813FA5), ref: 00007FF6988184DB
FindClose.KERNEL32(?,00007FF698818919,00007FF698813FA5), ref: 00007FF6988184EC
RemoveDirectoryW.KERNEL32(?,00007FF698818919,00007FF698813FA5), ref: 00007FF6988184F5

Strings

%s\*, xrefs: 00007FF6988183F2

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction ID: b96fb50cc1bfb92caa738ee905c91b28b9683eb21cc93ae2fa05602afda6c78b
Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction Fuzzy Hash: 01416221A0C94285EA30DB74E6851BA63A0FB94754FD002B2E9ADC37D4EF3CD946C764

Function 00007FF69881ACAD Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid literal/length code, xrefs: 00007FF69881B3E2
invalid distances set, xrefs: 00007FF69881B1A0
invalid code -- missing end-of-block, xrefs: 00007FF69881B0C6
too many length or distance symbols, xrefs: 00007FF69881AE46
invalid distance code, xrefs: 00007FF69881B5B4
invalid bit length repeat, xrefs: 00007FF69881B099
invalid distance too far back, xrefs: 00007FF69881B670
invalid code lengths set, xrefs: 00007FF69881AE2D
invalid literal/lengths set, xrefs: 00007FF69881B133

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 55880860ec2df9374ed9e05eb7c1f9660e2769407a38999da05ffb99d6c3dc89
Instruction ID: 6f2f607db29f9cb94ea3b24e7e7746122d645e3f4f2fc6bad4371defc41cb170
Opcode Fuzzy Hash: 55880860ec2df9374ed9e05eb7c1f9660e2769407a38999da05ffb99d6c3dc89
Instruction Fuzzy Hash: 5752E372A146A68BD7A48F24D698B7E3BADFB44340F814139E65AC7780DF3CE844CB54

Function 00007FF69881D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF69881D148
RtlCaptureContext.KERNEL32 ref: 00007FF69881D175
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF69881D18F
RtlVirtualUnwind.KERNEL32 ref: 00007FF69881D1D0
IsDebuggerPresent.KERNEL32 ref: 00007FF69881D224
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF69881D241
UnhandledExceptionFilter.KERNEL32 ref: 00007FF69881D24C

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction ID: c79759689cddc0493a1815b2706d88c70c6d8f1ec623465c1b15c3fc782f0488
Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction Fuzzy Hash: AC315E72608B8186EB708F60E8807EE7364FB84704F84417ADA4E97B95DF7CD548C724

Function 00007FF69882A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF69882A68D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF69882A6A5
RtlVirtualUnwind.KERNEL32 ref: 00007FF69882A6E0
IsDebuggerPresent.KERNEL32 ref: 00007FF69882A719
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF69882A723
UnhandledExceptionFilter.KERNEL32 ref: 00007FF69882A72E

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction ID: d3fa10b994324b562b141be570c256b827d21919af109f607b88f3ac3c7d4d59
Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction Fuzzy Hash: C6318D32608B8196DB30CF34E9406AE73A4FB88798F940276EA9D83B95DF3CD545CB14

Function 00007FF698831874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6988318C0
FindFirstFileExW.KERNEL32 ref: 00007FF6988319CA

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction ID: c9172924720252d4ca36e5f31ba2da879a334101b0eaeddf7221e774bc4eec57
Opcode Fuzzy Hash: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction Fuzzy Hash: A5B1C326B1869241EA719B3296005B96394EF44FE4FC45172FE5D87B89EF3CEC41C328

Function 00007FF69881D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF69881D03C
GetCurrentThreadId.KERNEL32 ref: 00007FF69881D04A
GetCurrentProcessId.KERNEL32 ref: 00007FF69881D056
QueryPerformanceCounter.KERNEL32 ref: 00007FF69881D066

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction ID: be81c7e3b7d3b9b90678b2ef588e7f3451b22f1ad2de95d944e015a079a9c6cb
Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction Fuzzy Hash: 6C115A22B14F058AEB10DF70E9452B933A8FB59758F840E31EA2D87BA4DF3CD5548354

Function 00007FF698833C10 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF698833C76
memcpy_s.LIBCPMT ref: 00007FF698833CA1

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 3f3963ad947ce0f40434009dfe49bfbdd7b8784e53a21d55099707f3103a9120
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 6CC1E572B1968687EB34CF25E24466AB791FB94B84F84813ADB4A87744DF3DEC01CB44

Function 00007FF69881A474 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

, xrefs: 00007FF69881A55B
header crc mismatch, xrefs: 00007FF69881A921
unknown header flags set, xrefs: 00007FF69881A4C5

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: fcf6ea83c7a46010d3591867e81b0f53761d3f113121264a3729654d2d1b513f
Instruction ID: e274e7fd2899913d68686b40b38e1785dabf3255423ffc7f6c204a9586eef9c3
Opcode Fuzzy Hash: fcf6ea83c7a46010d3591867e81b0f53761d3f113121264a3729654d2d1b513f
Instruction Fuzzy Hash: 72F1BF72A083C59BE7B58F28D188F3A3AA9FF44740F4645B8DA6987790CF38E941C754

Function 00007FF698839728 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF698839977
RaiseException.KERNEL32 ref: 00007FF698839988

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction ID: 5e78fc4b6543568b15660683642ad6b8ec9e6ad3ddd68d0ee34caeabc77ebfd9
Opcode Fuzzy Hash: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction Fuzzy Hash: 4BB17B73A04B898BEB29CF39C94636C3BA0F785B48F548962DA5D837A4CF39D851C714

Function 00007FF6988239A4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF698823D54
, xrefs: 00007FF698823B12

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction ID: cb8a323bbf124af4a610d56230f84ef8351373acf397b3626964dbc5ee31d914
Opcode Fuzzy Hash: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction Fuzzy Hash: 88E1B732A08A4645EB789E35876013D3360FF44BE8F9442BDDA4E876A5DF2DE853C718

Function 00007FF69881A2DB Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

incorrect header check, xrefs: 00007FF69881A45B
invalid window size, xrefs: 00007FF69881A442

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 7e7bac63e97a7e962ac1d8bc37368dc0e110af78d4507200a91f80e7c7b94e68
Instruction ID: 6a677b84bb64f2eb62aa4201f2958bab71430dc64611753405d01c16262d4ee6
Opcode Fuzzy Hash: 7e7bac63e97a7e962ac1d8bc37368dc0e110af78d4507200a91f80e7c7b94e68
Instruction Fuzzy Hash: 6E919472A182C68BE7B48B24D548F3E3AADFB44350F514179DA6AC6780DF3CE941CB14

Function 00007FF69882DEF0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF69882E07A
e+000, xrefs: 00007FF69882DFFD

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction ID: f7f9d7662dfed0059ec194ceb6aa5b196c87a95a44628a82a157d611c33922da
Opcode Fuzzy Hash: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction Fuzzy Hash: A0517962B182D546E7348E35DA007696B91FB44BE4F888271CBAC87AC6CF3DD4028718

Function 00007FF6988308C8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction ID: 4be0547fc3e035e0665b226e413d230f452cf3a89ebcb7a9737c19b7c454ad3b
Opcode Fuzzy Hash: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction Fuzzy Hash: 69028021B2D68641FA75AB31960067D2684EF41BA0FC546B6DD6EC77D2DE7CEC028338

Function 00007FF69882DA5C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF69882DD9E

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: 41b51315454168fdc4fd80195568eaf87f7c44d5ddc0f47efba719bf59f790da
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: C6A13463A087CA86EB31CF35A5107AA7B91EB54BC4F448172DE8D87786DE3DE502C714

Function 00007FF698828794 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF6988287B3

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction ID: 4fc67e33a9763898fa4201664b083d28dddef1a660c16a6ecc9c61237706e8bd
Opcode Fuzzy Hash: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction Fuzzy Hash: 17518C16F1865251FE74AB375B0117A5290EF84BD4FC844B5DE1EC7796EE3CE8438228

Function 00007FF698833480 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF698833484

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction ID: b77a9dbe91bbff2b51c04f64ec3d309916497bbca8ff2bd8bce780299561c8f0
Opcode Fuzzy Hash: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction Fuzzy Hash: 25B09220E07B02C2EA192B316D8221822A9BF48701FD802B9C40DD0330DE2C24E95724

Function 00007FF6988235A0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction ID: 78f2f3813392fb1b239d5aee2a772a4b3601b1bb11ccd84e20bcb6ce2ac5a27b
Opcode Fuzzy Hash: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction Fuzzy Hash: B2D1D562A0864245EB388A35826063D67A0FB05BE8F94427DCE0D877E5DF3DE847D768

Function 00007FF698819800 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction ID: 4e0fe754edd2cf805d062c053b56220b04c31fe51b947a220719fbb130852a15
Opcode Fuzzy Hash: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction Fuzzy Hash: F1C1BE722181E08BD299EB29E86947A73D1F78934DBD5406BEF87877C5CB3CA414DB20

Function 00007FF698822C10 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction ID: d38b0bd2e3f7e31eaa38d355c529dd0bfdf909b3d7b7fefaa385c50c9213e6f8
Opcode Fuzzy Hash: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction Fuzzy Hash: EFB1AC7690878585E7748F39C15027CBBA0EB49B88FA402B5CB4E8739ACF7DD442D768

Function 00007FF69882E570 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction ID: 1e8e74921bc4df80759a15940cb1cdb4115f4f80427cbf36d2be23830086b940
Opcode Fuzzy Hash: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction Fuzzy Hash: 7781D272A187814AEB74CF29E64037A7A91FB457D4F944275DA8D83F8ADF3CE4018B18

Function 00007FF698836418 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 21aaab296e2e64a79b20cf98ea2699a9ab0529386423cc159892306e5cd43e00
Instruction ID: 44e751c9c28c852c331e1bd79974d01e03e4c9585c6a28435d332ab1bea246e3
Opcode Fuzzy Hash: 21aaab296e2e64a79b20cf98ea2699a9ab0529386423cc159892306e5cd43e00
Instruction Fuzzy Hash: FF6128A2F0825246FB78CA3C961463C6681EF417A0FD402BAD61EC36C5EE7DEC009728

Function 00007FF698821944 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: d0e96f5719779aaa80849e143cac7dc17abff5c83f6d8d3874e8b901a7ec8d8c
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: CE51507AA1865186EB348B39C24423927A0EB48B98FB441B1CE8D97794DF3EFC53C754

Function 00007FF698822164 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 0b803817a53980d49a4eac7a189c4c278604281ad67a8aac05fa5e112e0d28af
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 0A51B276A1865282E7348B39C544638B3A1FB58BA8FA44171CE4C877A4CF3EE853C758

Function 00007FF698821D54 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 907f28efc1e0d710a2bb09472dffd010cd5c7862c7cb2f38be00cb8449261ce4
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 1F517F7AA1865186EB748B39C14032933A0EB45BA8FB44272CE4D97795CF3EF853C794

Function 00007FF698821B50 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 819d5b3412e530bc4bb5178f7e0ee0197ad7cf08048c67badb99d3620146bd28
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: C7519E7AA1865186EB348F39C24022827A1EB44B98FB441B1CE4C97795DF3EF843C758

Function 00007FF698821740 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: daf8418b21b61f4e6d91dd475fc35ec16b14889ed02e8c1c98c1191f15ca09a5
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: 48516D7AA1865186EB348B39C14023867A1EB85B98FB44171CE4D97798CF3EF843C794

Function 00007FF698821F60 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 0432b8cb316215ccbcc4e0777fe105a8c2660be904153ad8fca9b5dc31d11b3d
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 94518F36A1866186EB348B39C24063867A0EB44FA8FB44171CE4C977A9DF3EF853C754

Function 00007FF698825D30 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 41f2c58c2aa60bba06f205e64aebba8c6861c7f756025d83a3fdb10fd563d685
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 6341936688E74A05E9F9893807186B42680EF22BE1DD853F4DD9D973D3CD0D6587C224

Function 00007FF698829EA0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction ID: 0780abcbec745790cb477b0bd006715d57f98ce7f7ac3c1d8fd4a17ff2e8ce73
Opcode Fuzzy Hash: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction Fuzzy Hash: A1412323714A5582EF14CF3ADA14569B3A1FB48FD0B899436EE1DD7B58DE3CC4428304

Function 00007FF6988280E4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction ID: 3b097787b81ebb893f81d0164d3fbf9d4ab781da6ffbd7d74926388d9d556458
Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction Fuzzy Hash: 8431B132B28B4242EA74DB35664012E6AD5EF84BD0F944279EA5DD3BD6DF3CD4038718

Function 00007FF698839570 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction ID: 62cdb87a75096f5270de8c5cad650b3ae32c2275f16965fddfe4ef8d1f9c8ed1
Opcode Fuzzy Hash: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction Fuzzy Hash: 74F044717182968BDBA88F69B90266A7BD0F7083C0F8084BDD589C3A14DE3C94518F18

Function 00007FF69881D30C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction ID: 23a2dae31039fe4c0c0c2a24782b5f44617664ed71c2dfd49f73a75726c00415
Opcode Fuzzy Hash: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction Fuzzy Hash: 31A00271D0CC1BD0F6648B20EA902356335FB54301FC001B2F01DE20B0AF7CA804D328

Function 00007FF698815830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF6988164CF,?,00007FF69881336E), ref: 00007FF698815840
GetLastError.KERNEL32(?,00007FF6988164CF,?,00007FF69881336E), ref: 00007FF698815852
GetProcAddress.KERNEL32(?,00007FF6988164CF,?,00007FF69881336E), ref: 00007FF698815889
GetLastError.KERNEL32(?,00007FF6988164CF,?,00007FF69881336E), ref: 00007FF69881589B
GetProcAddress.KERNEL32(?,00007FF6988164CF,?,00007FF69881336E), ref: 00007FF6988158B4
GetLastError.KERNEL32(?,00007FF6988164CF,?,00007FF69881336E), ref: 00007FF6988158C6
GetProcAddress.KERNEL32(?,00007FF6988164CF,?,00007FF69881336E), ref: 00007FF6988158DF
GetLastError.KERNEL32(?,00007FF6988164CF,?,00007FF69881336E), ref: 00007FF6988158F1
GetProcAddress.KERNEL32(?,00007FF6988164CF,?,00007FF69881336E), ref: 00007FF69881590D
GetLastError.KERNEL32(?,00007FF6988164CF,?,00007FF69881336E), ref: 00007FF69881591F
GetProcAddress.KERNEL32(?,00007FF6988164CF,?,00007FF69881336E), ref: 00007FF69881593B
GetLastError.KERNEL32(?,00007FF6988164CF,?,00007FF69881336E), ref: 00007FF69881594D
GetProcAddress.KERNEL32(?,00007FF6988164CF,?,00007FF69881336E), ref: 00007FF698815969
GetLastError.KERNEL32(?,00007FF6988164CF,?,00007FF69881336E), ref: 00007FF69881597B
GetProcAddress.KERNEL32(?,00007FF6988164CF,?,00007FF69881336E), ref: 00007FF698815997
GetLastError.KERNEL32(?,00007FF6988164CF,?,00007FF69881336E), ref: 00007FF6988159A9
GetProcAddress.KERNEL32(?,00007FF6988164CF,?,00007FF69881336E), ref: 00007FF6988159C5
GetLastError.KERNEL32(?,00007FF6988164CF,?,00007FF69881336E), ref: 00007FF6988159D7

Strings

Py_PreInitialize, xrefs: 00007FF69881595F, 00007FF698815981
PyConfig_SetString, xrefs: 00007FF698815A45, 00007FF698815A67
PySys_GetObject, xrefs: 00007FF698815E67, 00007FF698815E89
PyErr_Fetch, xrefs: 00007FF698815ACF, 00007FF698815AF1
PyUnicode_Decode, xrefs: 00007FF698815EF1, 00007FF698815F13
PyImport_ImportModule, xrefs: 00007FF698815C3F, 00007FF698815C61
PyMarshal_ReadObjectFromString, xrefs: 00007FF698815C6D, 00007FF698815C8F
PyObject_SetAttrString, xrefs: 00007FF698815D81, 00007FF698815DA3
PyConfig_Read, xrefs: 00007FF6988159E9, 00007FF698815A0B
PyUnicode_Join, xrefs: 00007FF698815FA9, 00007FF698815FCB
PyErr_Occurred, xrefs: 00007FF698815B2B, 00007FF698815B4D
PyMem_RawFree, xrefs: 00007FF698815C9B, 00007FF698815CBD
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF698815DDD, 00007FF698815DFF
PyObject_CallFunction, xrefs: 00007FF698815CF7, 00007FF698815D19
Py_DecRef, xrefs: 00007FF698815836, 00007FF698815858
Py_DecodeLocale, xrefs: 00007FF69881587F, 00007FF6988158A1
PyConfig_InitIsolatedConfig, xrefs: 00007FF6988159BB, 00007FF6988159DD
PyErr_Clear, xrefs: 00007FF698815AA1, 00007FF698815AC3
Py_IsInitialized, xrefs: 00007FF698815931, 00007FF698815953
PyImport_AddModule, xrefs: 00007FF698815BE3, 00007FF698815C05
PyEval_EvalCode, xrefs: 00007FF698815BB5, 00007FF698815BD7
Py_InitializeFromConfig, xrefs: 00007FF698815903, 00007FF698815925
PyConfig_SetBytesString, xrefs: 00007FF698815A17, 00007FF698815A39
Py_ExitStatusException, xrefs: 00007FF6988158AA, 00007FF6988158CC
PyErr_NormalizeException, xrefs: 00007FF698815AFD, 00007FF698815B1F
GetProcAddress, xrefs: 00007FF698815868
PyConfig_SetWideStringList, xrefs: 00007FF698815A73, 00007FF698815A95
PyUnicode_DecodeFSDefault, xrefs: 00007FF698815F1F, 00007FF698815F41
PyUnicode_AsUTF8, xrefs: 00007FF698815EC3, 00007FF698815EE5
Failed to get address for %hs, xrefs: 00007FF698815861
Py_Finalize, xrefs: 00007FF6988158D5, 00007FF6988158F7
PyObject_CallFunctionObjArgs, xrefs: 00007FF698815D25, 00007FF698815D47
PyErr_Restore, xrefs: 00007FF698815B87, 00007FF698815BA9
PyImport_ExecCodeModule, xrefs: 00007FF698815C11, 00007FF698815C33
PyRun_SimpleStringFlags, xrefs: 00007FF698815E0B, 00007FF698815E2D
PyObject_GetAttrString, xrefs: 00007FF698815D53, 00007FF698815D75
PyUnicode_Replace, xrefs: 00007FF698815FD7, 00007FF698815FF9
PyConfig_Clear, xrefs: 00007FF69881598D, 00007FF6988159AF
PyUnicode_FromFormat, xrefs: 00007FF698815F4D, 00007FF698815F6F
PyErr_Print, xrefs: 00007FF698815B59, 00007FF698815B7B
PyModule_GetDict, xrefs: 00007FF698815CC9, 00007FF698815CEB
PyUnicode_FromString, xrefs: 00007FF698815F7B, 00007FF698815F9D
PyStatus_Exception, xrefs: 00007FF698815E39, 00007FF698815E5B
PyObject_Str, xrefs: 00007FF698815DAF, 00007FF698815DD1
PySys_SetObject, xrefs: 00007FF698815E95, 00007FF698815EB7

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction ID: 19f81c1a686fef5ce0b3b3d364b711dc8ee74ea21687025db7e8b97c535e72c1
Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction Fuzzy Hash: F322B2A4A09B0791FA359B75AB685B533A5EF04741FC410F6D82FD2260FF7CB9588328

Function 00007FF6988181D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF698819390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6988145F4,00000000,00007FF698811985), ref: 00007FF6988193C9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6988186B7,?,?,00000000,00007FF698813CBB), ref: 00007FF69881822C

Part of subcall function 00007FF698812810: MessageBoxW.USER32 ref: 00007FF6988128EA

Strings

LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF698818373
%.*s, xrefs: 00007FF69881830C
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF698818203
\, xrefs: 00007FF698818261
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF69881829D
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF698818240
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6988182D9
CreateDirectory, xrefs: 00007FF69881837C

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction ID: c71b5d04f5a253950536794d315e90409df025a521ab79a7e88eed8736830a2e
Opcode Fuzzy Hash: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction Fuzzy Hash: 1B51B451B2DA4381FA71EB35DA522BA6250EF94780FC44472EA1EC36D5EF3CE5068328

Function 00007FF698812180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6988121AB
SelectObject.GDI32 ref: 00007FF6988121F2
DrawTextW.USER32 ref: 00007FF698812215
SelectObject.GDI32 ref: 00007FF69881222B
ReleaseDC.USER32 ref: 00007FF69881223B
MoveWindow.USER32 ref: 00007FF69881228B
MoveWindow.USER32 ref: 00007FF6988122CB
MoveWindow.USER32 ref: 00007FF69881231E
MoveWindow.USER32 ref: 00007FF698812366

Strings

P%, xrefs: 00007FF6988121FF

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 63b41d118fb7d7e99b91d17ebab4e07e6ce4284066f164aba361a6d8aacdcfb1
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 8651F566604BA186D6349F36E4181BAB7A1FB98B65F004132EFDE83694DF3CD085DB24

Function 00007FF6988180C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6988180FF
GetWindowLongPtrW.USER32 ref: 00007FF69881817F
ShutdownBlockReasonCreate.USER32 ref: 00007FF698818192
GetLastError.KERNEL32 ref: 00007FF69881819C
SetWindowLongPtrW.USER32 ref: 00007FF6988181B3

Strings

Needs to remove its temporary files., xrefs: 00007FF698818185

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction ID: a560ded7918ced7e7872b99979175aae2131da24dcf56c47ba8e2b8328deb628
Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction Fuzzy Hash: CB21DE62B18A8281E7618B7AFA551796354FF84F90FD84171EE2DC33D4DE2CD9518328

Function 00007FF698826290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6988262D3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6988266C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69882695C

Strings

p, xrefs: 00007FF6988263FD
:, xrefs: 00007FF69882648C
p, xrefs: 00007FF698826385
-, xrefs: 00007FF698826369
f, xrefs: 00007FF6988263F5

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 8cb7a7acd82234d32cbec30dd749e4f398e1d2bbf81e57ccbb739ea914fde29e
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 141291E1E0D24387FB70DA34E35467A7691FB50790FD84175E68A866C4DF3CE9828B28

Function 00007FF698820FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698821008
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6988213D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69882166F

Strings

p, xrefs: 00007FF698821112
f, xrefs: 00007FF698821255
f, xrefs: 00007FF6988210A0
p, xrefs: 00007FF6988210AD
f, xrefs: 00007FF69882110A

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: f1ec957a0f1690d5e4a0619b7b3ca19ef6519c46d7b17018d6b0b548b654e983
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: DA129869E0C14385FF309E34E24467A7692FB807D4FE44171E69A869C4DF3CF4528B28

Function 00007FF698811050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

fseek, xrefs: 00007FF6988110D3
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6988111F6
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF698811108
Failed to extract %s: failed to open archive file!, xrefs: 00007FF698811098
malloc, xrefs: 00007FF69881110F
fread, xrefs: 00007FF6988111FD
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6988110CC

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: b86492fec82845683ed30ee17fa4372ac3c9e67344e1de42683d38f875b626aa
Instruction ID: 3dd9044d290e6d42fa67a153152e546afa4643eb3d92cadb06fcca019107071b
Opcode Fuzzy Hash: b86492fec82845683ed30ee17fa4372ac3c9e67344e1de42683d38f875b626aa
Instruction Fuzzy Hash: 4041B665B1865282FA30DB32AA006B9A395FF44BD4FC454B2ED1CC7796DF3CE5028768

Function 00007FF698811470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

fseek, xrefs: 00007FF6988114E5
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6988115DF
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF698811518
Failed to extract %s: failed to open archive file!, xrefs: 00007FF69881149F
malloc, xrefs: 00007FF69881151F
fread, xrefs: 00007FF6988115E6
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6988114DE

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 0668517533cd0d68b5080e8717ca13fde84679c12f5f15204a3f6509b4669e23
Instruction ID: eaaa19a7b087f357a4877b198cc5b35318de3887819220f72639901a103be0a1
Opcode Fuzzy Hash: 0668517533cd0d68b5080e8717ca13fde84679c12f5f15204a3f6509b4669e23
Instruction Fuzzy Hash: D0419D66B0864286EB20DB3196405F96390FF847D4FC458B2ED1D87B9ADF3CE902C728

Function 00007FF69881EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF69881EA65

Part of subcall function 00007FF69881F9BC: __GetUnwindTryBlock.LIBCMT ref: 00007FF69881F9FF
Part of subcall function 00007FF69881F9BC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF69881FA24

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF69881EB3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF69881ED8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF69881EE98

Strings

csm, xrefs: 00007FF69881EAE6
csm, xrefs: 00007FF69881EB60
csm, xrefs: 00007FF69881EA7F

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction ID: 7e6ddbc3933a8f6ca045b8d3057ab23fea4ea6f0c62ad87b64516e38c4305700
Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction Fuzzy Hash: 35D18F32A08B418AEB309F75D6403AD77A0FB45788F900175EE9E97B96CF38E481C724

Function 00007FF69882ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF69882F0AA,?,?,000002894EA95958,00007FF69882AD53,?,?,?,00007FF69882AC4A,?,?,?,00007FF698825F3E), ref: 00007FF69882EE8C
GetProcAddress.KERNEL32(?,?,?,00007FF69882F0AA,?,?,000002894EA95958,00007FF69882AD53,?,?,?,00007FF69882AC4A,?,?,?,00007FF698825F3E), ref: 00007FF69882EE98

Strings

api-ms-, xrefs: 00007FF69882EDD6
ext-ms-, xrefs: 00007FF69882EDE9

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction ID: 8a9b7a1d02c84eea124eb11f8c3ad3cd4316d6e8cb3ac568c358a8ae1e7cd231
Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction Fuzzy Hash: 9541E466B19A0241EA35CB369A005752395FF48BE0FC84179ED1DD7B85EF3CE806832C

Function 00007FF698812C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF698813706,?,00007FF698813804), ref: 00007FF698812C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF698813706,?,00007FF698813804), ref: 00007FF698812D63
MessageBoxW.USER32 ref: 00007FF698812D99

Strings

<FormatMessageW failed.>, xrefs: 00007FF698812D70
Error, xrefs: 00007FF698812D8C
%ls: , xrefs: 00007FF698812D22
[PYI-%d:ERROR] , xrefs: 00007FF698812CA6

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction ID: 19cba3c94587ca2a4cfa303334df52b384ddd671bfa3e205abd1fcd5131dab98
Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction Fuzzy Hash: B731F562B08B4142E630EB35BA542AA6695FF88BD8F800136EF4DD3B99DF3CD506C314

Function 00007FF69881DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF69881DF7A,?,?,?,00007FF69881DC6C,?,?,?,00007FF69881D869), ref: 00007FF69881DD4D
GetLastError.KERNEL32(?,?,?,00007FF69881DF7A,?,?,?,00007FF69881DC6C,?,?,?,00007FF69881D869), ref: 00007FF69881DD5B
LoadLibraryExW.KERNEL32(?,?,?,00007FF69881DF7A,?,?,?,00007FF69881DC6C,?,?,?,00007FF69881D869), ref: 00007FF69881DD85
FreeLibrary.KERNEL32(?,?,?,00007FF69881DF7A,?,?,?,00007FF69881DC6C,?,?,?,00007FF69881D869), ref: 00007FF69881DDF3
GetProcAddress.KERNEL32(?,?,?,00007FF69881DF7A,?,?,?,00007FF69881DC6C,?,?,?,00007FF69881D869), ref: 00007FF69881DDFF

Strings

api-ms-, xrefs: 00007FF69881DD6D

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction ID: 62d67ec25ff408321627701d1abd461273071d1c3313da762dfbf96c8cb843ce
Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction Fuzzy Hash: E031D861B1AA4292EE31DB229A006B523D4FF48BA4FD94575ED3D87385DF3CE4458328

Function 00007FF698816360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

LoadLibrary, xrefs: 00007FF6988164AE
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6988163C7
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF698816407
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF698816456
ucrtbase.dll, xrefs: 00007FF6988163DD
Failed to load Python DLL '%ls'., xrefs: 00007FF6988164A7

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
Instruction ID: 534247d2cabc2f62a3b3a6eeef12cece03a0fa51f0effd5a13ef7a6b1012746d
Opcode Fuzzy Hash: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
Instruction Fuzzy Hash: 5241A371B18A8791EA31DB34E6581EA7316FF44344FC00172EAAD83695EF3CE605C364

Function 00007FF698812A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF69881351A,?,00000000,00007FF698813F23), ref: 00007FF698812AA0

Strings

0, xrefs: 00007FF698812B16
Warning, xrefs: 00007FF698812B1E
WARNING, xrefs: 00007FF698812AAF
Warning [ANSI Fallback], xrefs: 00007FF698812B0F
[PYI-%d:%s] , xrefs: 00007FF698812AA8

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction ID: fa2ecc385d8b104fb17cb018e078c1912c8e3c204f48df9856e3adee04c637f0
Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction Fuzzy Hash: CF219272A18B8142E730DB61B9817E67394FB887C4F800176FE8D93659DF3CD5468754

Function 00007FF69882B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF69882B15F
FlsGetValue.KERNEL32 ref: 00007FF69882B174
FlsSetValue.KERNEL32 ref: 00007FF69882B195
FlsSetValue.KERNEL32 ref: 00007FF69882B1C2
FlsSetValue.KERNEL32 ref: 00007FF69882B1D3
FlsSetValue.KERNEL32 ref: 00007FF69882B1E4
SetLastError.KERNEL32 ref: 00007FF69882B1FF

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction ID: 0b817809cd03169f432cad3bb4372c3be332ed0b615b81e37caffce1028646bd
Opcode Fuzzy Hash: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction Fuzzy Hash: 98213E21B0D68281FA78A3359B51539625ADF447F0FD447B4E93EC7AC6DE2CF8428329

Function 00007FF698837D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF698837D9D
GetLastError.KERNEL32 ref: 00007FF698837DA9
CloseHandle.KERNEL32 ref: 00007FF698837DC1
CreateFileW.KERNEL32 ref: 00007FF698837DEC
WriteConsoleW.KERNEL32 ref: 00007FF698837E0B

Strings

CONOUT$, xrefs: 00007FF698837DCD

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction ID: bbae1216b79d7c76ec958378250f5a29ac09cb4023e017d5be54e792dd1ef466
Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction Fuzzy Hash: D6119022B18A4186E7709B72E95432962A4FB88FF4F800275EE5EC77A4DF7CD8148758

Function 00007FF698818ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF698813FB1), ref: 00007FF698818EFD
K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF698813FB1), ref: 00007FF698818F5A

Part of subcall function 00007FF698819390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6988145F4,00000000,00007FF698811985), ref: 00007FF6988193C9

K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF698813FB1), ref: 00007FF698818FE5
K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF698813FB1), ref: 00007FF698819044
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF698813FB1), ref: 00007FF698819055
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF698813FB1), ref: 00007FF69881906A

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
Instruction ID: df1e3bfdf276c524402deae6b3d981b2827f5f84ef0c2e676bfc7afed62a64ed
Opcode Fuzzy Hash: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
Instruction Fuzzy Hash: 12419661A1968281EA309B21E6402BA7394FF84BD0FC50575DF6D97789DE3CE501C728

Function 00007FF69882B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF698824F11,?,?,?,?,00007FF69882A48A,?,?,?,?,00007FF69882718F), ref: 00007FF69882B2D7
FlsSetValue.KERNEL32(?,?,?,00007FF698824F11,?,?,?,?,00007FF69882A48A,?,?,?,?,00007FF69882718F), ref: 00007FF69882B30D
FlsSetValue.KERNEL32(?,?,?,00007FF698824F11,?,?,?,?,00007FF69882A48A,?,?,?,?,00007FF69882718F), ref: 00007FF69882B33A
FlsSetValue.KERNEL32(?,?,?,00007FF698824F11,?,?,?,?,00007FF69882A48A,?,?,?,?,00007FF69882718F), ref: 00007FF69882B34B
FlsSetValue.KERNEL32(?,?,?,00007FF698824F11,?,?,?,?,00007FF69882A48A,?,?,?,?,00007FF69882718F), ref: 00007FF69882B35C
SetLastError.KERNEL32(?,?,?,00007FF698824F11,?,?,?,?,00007FF69882A48A,?,?,?,?,00007FF69882718F), ref: 00007FF69882B377

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction ID: 0a9f0d07a3273080416ba395178a3943889942c87aff163cbc4a2585995174a3
Opcode Fuzzy Hash: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction Fuzzy Hash: AB116D21B0D64382FA74A331575513D228ADF84BF0F8447B4E82EC7AD6DE2CF4128328

Function 00007FF698812910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF698811B6A), ref: 00007FF69881295E

Strings

%s: %s, xrefs: 00007FF6988129E8
Error [ANSI Fallback], xrefs: 00007FF6988129FF
[PYI-%d:ERROR] , xrefs: 00007FF698812966
Error, xrefs: 00007FF698812A0E

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction ID: 081498227ffaa367a3d0264db52ff914dc62cbd7268b63602e81013643c95fd1
Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction Fuzzy Hash: 4D31D462B1868152E730E775AA416F66295FF887D8F800132FE9DC3759EF3CD5468324

Function 00007FF698812390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6988123C8
DialogBoxIndirectParamW.USER32 ref: 00007FF69881248E
DeleteObject.GDI32 ref: 00007FF6988124C1
DestroyIcon.USER32 ref: 00007FF6988124D3

Strings

Unhandled exception in script, xrefs: 00007FF6988123F8

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction ID: c93b6ae57d08ebada86ee2832dd9cd39f35c660483dbd0b95a03066187bc652d
Opcode Fuzzy Hash: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction Fuzzy Hash: 94319372A19A8289EB30EF31E9552F96364FF88788F840176EA4E87B49DF3CD501C714

Function 00007FF698812B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF69881918F,?,00007FF698813C55), ref: 00007FF698812BA0
MessageBoxW.USER32 ref: 00007FF698812C2A

Strings

[PYI-%d:%ls] , xrefs: 00007FF698812BA8
Warning, xrefs: 00007FF698812C1D
WARNING, xrefs: 00007FF698812BAF

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction ID: 6a005a13bbe5c79b28466cb6dac3efcb0a0e2c3ab57ef60110d25be45676125b
Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction Fuzzy Hash: B621B262708B4182E720DB64F9847EA73A4FB88784F800136EE8D97B5ADF3CD605C754

Function 00007FF698812710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF698811B99), ref: 00007FF698812760

Strings

Error [ANSI Fallback], xrefs: 00007FF6988127CF
ERROR, xrefs: 00007FF69881276F
[PYI-%d:%s] , xrefs: 00007FF698812768
Error, xrefs: 00007FF6988127DE

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction ID: 8062ad39358cbe5949ca7649a0a7e6e592ca5311f0bc7a7c9bd7edb97c2d871b
Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction Fuzzy Hash: 34219072A18B8182E730DB60B9817E66394FB887C4F800176FE8D93A5ADF7CD5458754

Function 00007FF698829A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF698829AAD
GetProcAddress.KERNEL32 ref: 00007FF698829AC3
FreeLibrary.KERNEL32 ref: 00007FF698829AEA

Strings

CorExitProcess, xrefs: 00007FF698829ABC
mscoree.dll, xrefs: 00007FF698829AA4

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction ID: 6670cb2ec5f7dfc96be2acdfb3150db03e48d749633858d40edf5a3bba88f73a
Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction Fuzzy Hash: 20F0C261B0970681EA308B34EA8477A6324EF847A1FC406B6DA6EC61E4DF2CD445C328

Function 00007FF698839368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF698839390
_set_statfp.LIBCMT ref: 00007FF6988393AB
_set_statfp.LIBCMT ref: 00007FF6988393C7
_set_statfp.LIBCMT ref: 00007FF698839403

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 84b4ed7449d1a485124c6bdf7a203b179e7ea862573e22a46711e194c3cad716
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 9E118262E5CA0382FA741179EF9137A1050EF5B364F841EB6EA6FD62D6CE6C6C414128

Function 00007FF69882B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF69882A5A3,?,?,00000000,00007FF69882A83E,?,?,?,?,?,00007FF69882A7CA), ref: 00007FF69882B3AF
FlsSetValue.KERNEL32(?,?,?,00007FF69882A5A3,?,?,00000000,00007FF69882A83E,?,?,?,?,?,00007FF69882A7CA), ref: 00007FF69882B3CE
FlsSetValue.KERNEL32(?,?,?,00007FF69882A5A3,?,?,00000000,00007FF69882A83E,?,?,?,?,?,00007FF69882A7CA), ref: 00007FF69882B3F6
FlsSetValue.KERNEL32(?,?,?,00007FF69882A5A3,?,?,00000000,00007FF69882A83E,?,?,?,?,?,00007FF69882A7CA), ref: 00007FF69882B407
FlsSetValue.KERNEL32(?,?,?,00007FF69882A5A3,?,?,00000000,00007FF69882A83E,?,?,?,?,?,00007FF69882A7CA), ref: 00007FF69882B418

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction ID: a829974bce06e24617f12a37023d70c05fa1c105c66a57220d1c95a56b048888
Opcode Fuzzy Hash: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction Fuzzy Hash: 26114F21F0964281FA78A73597915792185DF847F0FD843B4E97EC6AD6DE2CF8438328

Function 00007FF69882B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF69882B235
FlsSetValue.KERNEL32 ref: 00007FF69882B254
FlsSetValue.KERNEL32 ref: 00007FF69882B27C
FlsSetValue.KERNEL32 ref: 00007FF69882B28D
FlsSetValue.KERNEL32 ref: 00007FF69882B29E

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction ID: c00032b5683b95dfd0517e1ebb11b97bfc6195181fefda81f6287923c3d7a5c8
Opcode Fuzzy Hash: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction Fuzzy Hash: AB11F721E0A30781F9B8A375475157E218ADF857B0FD847B4D93ECA6D2DE2CB8438239

Function 00007FF698825FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698825FDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698826106
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6988261BC

Strings

verbose, xrefs: 00007FF698825FB0

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 614cef4ff7ef18e8049ae171c3a51eef898075fdae578010e77be521351db2cc
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: B091BDA2A08A4682F775CE74D65077D36A1EB40BD4FC44172DA5DC33D6DE3CE8068328

Function 00007FF69882FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69882FEA7

Part of subcall function 00007FF698827A3C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698827A59

Strings

UTF-16LEUNICODE, xrefs: 00007FF69882FE45
ccs, xrefs: 00007FF69882FDE2
UTF-8, xrefs: 00007FF69882FE26

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction ID: ca44f76728dccf0d45cabf0dc32f785520fd7d3f43c01d70b17285f30f10a914
Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction Fuzzy Hash: 0681AE77E0925285F7759E39831027836A0EF11BC8FD581B5DA0ADB296CF2DE903D329

Function 00007FF69881D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF69881D673
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF69881D70A
RtlUnwindEx.KERNEL32 ref: 00007FF69881D764

Strings

csm, xrefs: 00007FF69881D6F1

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction ID: 50cd85ad26dab61cb81cfc6b9395f62cb59a6616796c2361734c5479d51d638e
Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction Fuzzy Hash: ED51A236B196028ADB34CF25E644B787391EB44B98F908570DE6E87784DF7CE841C718

Function 00007FF69881F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF69881F2B0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF69881F398

Strings

csm, xrefs: 00007FF69881F3EA
csm, xrefs: 00007FF69881F2D2

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction ID: c7ce2778ed31a9d84a7921153d2e0bbe9d9b91cfcfcefb574f495225083e8ef6
Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction Fuzzy Hash: 9451AD73A083828AEB748B31D28427877A0FB54B94F9441B6DAAD93B85CF3CF451C719

Function 00007FF69881EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF69881EF37
_CallSETranslator.LIBVCRUNTIME ref: 00007FF69881EF83

Strings

RCC, xrefs: 00007FF69881EF53
MOC, xrefs: 00007FF69881EF4B

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction ID: e5447ce0725ddae8075f6737137657371a3bf7c4d04ed873d5fb03a6f38ee780
Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction Fuzzy Hash: 0461C333908BC585EB318B25E5403AAB7A0FB84B84F444275EBAC83B95DF7CE190CB14

Function 00007FF698812810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF6988128EA

Strings

ERROR, xrefs: 00007FF69881286F
[PYI-%d:%ls] , xrefs: 00007FF698812868
Error, xrefs: 00007FF6988128DD

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction ID: b8be222527b58dc1dceba2889af549cb320b30fcf719f12de6fff0d4eb820b26
Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction Fuzzy Hash: 4A21A162B08B4182E720DB64F5847EA73A4FB88784F800176EE8D9365ADF3CD645C754

Function 00007FF69882C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF69882C61F
WriteFile.KERNEL32 ref: 00007FF69882C8E7
WriteFile.KERNEL32 ref: 00007FF69882C92D
GetLastError.KERNEL32 ref: 00007FF69882C9E3

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction ID: 9570c93ab65591c24af2d4f6d8691c33d4f924b570557d7282dc2bc3f6d376e0
Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction Fuzzy Hash: 0DD1E072B18A818AE720CF75C6442BC37A2FB547D8B804266DE5ED7B89DE3CD416C318

Function 00007FF6988120C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6988120F4
SetWindowLongPtrW.USER32 ref: 00007FF698812116
GetWindowLongPtrW.USER32 ref: 00007FF698812140
InvalidateRect.USER32 ref: 00007FF698812160

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 4a8195d49374cc18503fd851b7d13e8d6857281aa17e027c0ca53a1c129e4b64
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: DF110C21F0C14242F764D779F7442795251EF84794FC44171EB5987B89CE3DE8D1821C

Function 00007FF698835B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF698831760: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698831793

_get_daylight.LIBCMT ref: 00007FF698835C34
_get_daylight.LIBCMT ref: 00007FF698835C45

Strings

?, xrefs: 00007FF698835BC5

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction ID: f8aa243735133fa259c149893484936f17d23b5137fd9cf77838007d4f747b54
Opcode Fuzzy Hash: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction Fuzzy Hash: F3414912A0878256FB709B35D60137A6790EF80BE4F944276EE5C87AD9DF3CD842C718

Function 00007FF698829014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698829046

Part of subcall function 00007FF69882A948: RtlFreeHeap.NTDLL(?,?,?,00007FF698832D22,?,?,?,00007FF698832D5F,?,?,00000000,00007FF698833225,?,?,?,00007FF698833157), ref: 00007FF69882A95E
Part of subcall function 00007FF69882A948: GetLastError.KERNEL32(?,?,?,00007FF698832D22,?,?,?,00007FF698832D5F,?,?,00000000,00007FF698833225,?,?,?,00007FF698833157), ref: 00007FF69882A968

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF69881CBA5), ref: 00007FF698829064

Strings

C:\Users\user\Desktop\Payload.exe, xrefs: 00007FF698829052

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\Payload.exe
API String ID: 3580290477-3408162776
Opcode ID: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction ID: d41c4edb065fce6b73847cd4def026ff8c8f0eb939af0eab5c01ed3c63d0915e
Opcode Fuzzy Hash: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction Fuzzy Hash: 2A416D36A0875286EB24DF36DA404B86795EF44BD0B9544B5E94EC3B85DF3CE882C324

Function 00007FF69882CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF69882CD4F
GetLastError.KERNEL32 ref: 00007FF69882CD71

Strings

U, xrefs: 00007FF69882CCFB

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction ID: 420a38443baf913c5908acff1e2004c5e6377a8fc5bdb99e8dfd25f958335100
Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction Fuzzy Hash: 3441AE62A18A8182DB308F25E9483BA67A5FB98794F804135EE4EC7B98EF3CD401C754

Function 00007FF69882F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF69882F5F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF69882F64A

Strings

:, xrefs: 00007FF69882F60E

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction ID: 013b7b5b6be2792a3020d60b7fc08d39eb80bdad91475ae03dbc0305e231c17d
Opcode Fuzzy Hash: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction Fuzzy Hash: 0221E163A0868181EB309B31D14427D73A2FB88B84FC64075DA8D83695DF7CE946CB65

Function 00007FF69881FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF69881FD98
RaiseException.KERNEL32 ref: 00007FF69881FDD9

Strings

csm, xrefs: 00007FF69881FDC6

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction ID: f7d69e2bc22b203d76e9eb5278732cb25f921d3c492926608e744dd3eb91e625
Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction Fuzzy Hash: D7115B33608B8182EB218F25E500269B7E4FB88B88F984275EF8D47769DF3CD951CB04

Function 00007FF69883073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69883076C
GetDriveTypeW.KERNEL32 ref: 00007FF6988307AC

Strings

:, xrefs: 00007FF698830795

Memory Dump Source

Source File: 00000004.00000002.2540301903.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000004.00000002.2540172990.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540459019.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540591496.00007FF698852000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2540810692.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff698810000_Payload.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction ID: 7773cb91b284866a3186b89ce2222444bc6c60f236cec1e32d6e42b5ff381ac8
Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction Fuzzy Hash: 7A018F62A2860286F730AF70966527E23A0EF98794FC00076E54DC2686DE3DE9058B3C

Analysis Process: Payload.exePID: 7372, Parent PID: 7028COMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.2%
Total number of Nodes:	1032
Total number of Limit Nodes:	45

Executed Functions

Function 00007FFB0BC7ED20 Relevance: 306.6, APIs: 93, Strings: 82, Instructions: 391
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?PyWinGlobals_Ensure@@YAHXZ.PYWINTYPES311 ref: 00007FFB0BC7ED2A
PyModule_Create2.PYTHON311 ref: 00007FFB0BC7ED45
PyModule_GetDict.PYTHON311 ref: 00007FFB0BC7ED5A
PyDict_SetItemString.PYTHON311 ref: 00007FFB0BC7ED80
PyLong_FromLong.PYTHON311 ref: 00007FFB0BC7ED8B
PyDict_SetItemString.PYTHON311 ref: 00007FFB0BC7ED9E
PyLong_FromLong.PYTHON311 ref: 00007FFB0BC7EDA9
PyDict_SetItemString.PYTHON311 ref: 00007FFB0BC7EDBC
PyLong_FromLong.PYTHON311 ref: 00007FFB0BC7EDC7
PyDict_SetItemString.PYTHON311 ref: 00007FFB0BC7EDDA
PyType_Ready.PYTHON311 ref: 00007FFB0BC7EDE7
PyDict_SetItemString.PYTHON311 ref: 00007FFB0BC7EE07
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EE23
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EE39
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EE4F
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EE65
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EE7B
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EE91
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EEA7
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EEBD
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EED3
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EEE9
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EEFF
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EF15
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EF2B
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EF41
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EF57
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EF6D
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EF83
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EF99
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EFAF
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EFC5
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EFDB
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7EFEE
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7F004
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7F01A
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7F030
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7F046
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7F05C
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7F06F
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7F085
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7F09B
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7F0B1
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7F0C7
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7F0DD
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7F0F3
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7F109
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7F11F
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7F135
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7F14B
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7F161
PyModule_AddIntConstant.PYTHON311 ref: 00007FFB0BC7F177
GetModuleHandleW.KERNEL32 ref: 00007FFB0BC7F184
LoadLibraryExW.KERNEL32 ref: 00007FFB0BC7F199
GetProcAddressForCaller.KERNELBASE ref: 00007FFB0BC7F1B1
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F1C8
GetModuleHandleW.KERNEL32 ref: 00007FFB0BC7F1DC
LoadLibraryW.KERNEL32 ref: 00007FFB0BC7F1F1
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F20D
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F224
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F234
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F24B
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F262
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F279
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F290
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F2A7
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F2BE
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F2D5
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F2EC
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F303
GetModuleHandleW.KERNEL32 ref: 00007FFB0BC7F317
LoadLibraryW.KERNEL32 ref: 00007FFB0BC7F32C
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F348
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F35F
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F376
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F38D
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F3A4
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F3BB
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F3D2
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F3E9
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F400
GetModuleHandleW.KERNEL32 ref: 00007FFB0BC7F414
LoadLibraryW.KERNEL32 ref: 00007FFB0BC7F429
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F445
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F45C
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F473
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F48A
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F4A1
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F4B8
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F4CF
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F4E6
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F4FD
GetProcAddress.KERNEL32 ref: 00007FFB0BC7F514

Strings

VOS__PM32, xrefs: 00007FFB0BC7EFD1
SetSystemPowerState, xrefs: 00007FFB0BC7F2DB
SetDllDirectoryW, xrefs: 00007FFB0BC7F2C4
VS_FF_DEBUG, xrefs: 00007FFB0BC7F0FF
REG_NOTIFY_CHANGE_LAST_SET, xrefs: 00007FFB0BC7EF0B
RegSaveKeyExW, xrefs: 00007FFB0BC7F44B
error, xrefs: 00007FFB0BC7ED73
RegOpenCurrentUser, xrefs: 00007FFB0BC7F4EC
VOS_NT, xrefs: 00007FFB0BC7EF4D
VFT_DLL, xrefs: 00007FFB0BC7F091
VFT_UNKNOWN, xrefs: 00007FFB0BC7F065
VOS_DOS, xrefs: 00007FFB0BC7EF37
MonitorFromRect, xrefs: 00007FFB0BC7F393
STD_INPUT_HANDLE, xrefs: 00007FFB0BC7ED91
RegRestoreKeyW, xrefs: 00007FFB0BC7F43B
Advapi32.dll, xrefs: 00007FFB0BC7F40D, 00007FFB0BC7F422
RegCreateKeyTransactedW, xrefs: 00007FFB0BC7F462
VOS__WINDOWS16, xrefs: 00007FFB0BC7EF63
RegOpenKeyTransactedW, xrefs: 00007FFB0BC7F479
SetSystemFileCacheSize, xrefs: 00007FFB0BC7F296
GetHandleInformation, xrefs: 00007FFB0BC7F23A
VOS_DOS_WINDOWS32, xrefs: 00007FFB0BC7F010
VFT_DRV, xrefs: 00007FFB0BC7F0A7
MonitorFromPoint, xrefs: 00007FFB0BC7F3AA
NameCanonical, xrefs: 00007FFB0BC7EE87
GetDllDirectoryW, xrefs: 00007FFB0BC7F2AD
VS_FF_PRERELEASE, xrefs: 00007FFB0BC7F141
VOS_NT_WINDOWS32, xrefs: 00007FFB0BC7F026
NameFullyQualifiedDN, xrefs: 00007FFB0BC7EE2F
VS_FF_PRIVATEBUILD, xrefs: 00007FFB0BC7F157
user32.dll, xrefs: 00007FFB0BC7F310, 00007FFB0BC7F325
PyDISPLAY_DEVICEType, xrefs: 00007FFB0BC7EE00
EnumDisplayMonitors, xrefs: 00007FFB0BC7F33E
GetNativeSystemInfo, xrefs: 00007FFB0BC7F2F2
VFT_VXD, xrefs: 00007FFB0BC7F0D3
VOS_OS216_PM16, xrefs: 00007FFB0BC7F03C
NameSamCompatible, xrefs: 00007FFB0BC7EE45
NameUnknown, xrefs: 00007FFB0BC7EE19
GlobalMemoryStatusEx, xrefs: 00007FFB0BC7F268
VS_FF_PATCHED, xrefs: 00007FFB0BC7F12B
VOS__PM16, xrefs: 00007FFB0BC7EFBB
kernel32.dll, xrefs: 00007FFB0BC7F1D5, 00007FFB0BC7F1EA
GetLastInputInfo, xrefs: 00007FFB0BC7F3EF
REG_NOTIFY_CHANGE_ATTRIBUTES, xrefs: 00007FFB0BC7EEF5
VFT_STATIC_LIB, xrefs: 00007FFB0BC7F0E9
VOS_DOS_WINDOWS16, xrefs: 00007FFB0BC7EFFA
VS_FF_INFOINFERRED, xrefs: 00007FFB0BC7F115
GetComputerNameExW, xrefs: 00007FFB0BC7F203
GetSystemFileCacheSize, xrefs: 00007FFB0BC7F27F
STD_OUTPUT_HANDLE, xrefs: 00007FFB0BC7EDAF
GetLongPathNameW, xrefs: 00007FFB0BC7F22A
GetMonitorInfoW, xrefs: 00007FFB0BC7F3C1
VOS_OS232, xrefs: 00007FFB0BC7EFA5
EnumDisplayDevicesW, xrefs: 00007FFB0BC7F34E
VFT_FONT, xrefs: 00007FFB0BC7F0BD
RegDeleteKeyExW, xrefs: 00007FFB0BC7F490
NameCanonicalEx, xrefs: 00007FFB0BC7EEB3
RegCopyTreeW, xrefs: 00007FFB0BC7F4BE
VOS__WINDOWS32, xrefs: 00007FFB0BC7EF79
VOS_UNKNOWN, xrefs: 00007FFB0BC7EFE4
VOS_OS232_PM32, xrefs: 00007FFB0BC7F052
secur32.dll, xrefs: 00007FFB0BC7F17D, 00007FFB0BC7F192
GetComputerObjectNameW, xrefs: 00007FFB0BC7F1B7
NameDisplay, xrefs: 00007FFB0BC7EE5B
REG_NOTIFY_CHANGE_NAME, xrefs: 00007FFB0BC7EEDF
VS_FF_SPECIALBUILD, xrefs: 00007FFB0BC7F16D
VFT_APP, xrefs: 00007FFB0BC7F07B
REG_NOTIFY_CHANGE_SECURITY, xrefs: 00007FFB0BC7EF21
EnumDisplaySettingsExW, xrefs: 00007FFB0BC7F3D8
NameServicePrincipal, xrefs: 00007FFB0BC7EEC9
VOS_OS216, xrefs: 00007FFB0BC7EF8F
MonitorFromWindow, xrefs: 00007FFB0BC7F37C
SetHandleInformation, xrefs: 00007FFB0BC7F251
STD_ERROR_HANDLE, xrefs: 00007FFB0BC7EDCD
RegOverridePredefKey, xrefs: 00007FFB0BC7F503
RegDeleteTreeW, xrefs: 00007FFB0BC7F4D5
GetUserNameExW, xrefs: 00007FFB0BC7F1A7
GetLongPathNameA, xrefs: 00007FFB0BC7F213
NameUserPrincipal, xrefs: 00007FFB0BC7EE9D
RegDeleteKeyTransactedW, xrefs: 00007FFB0BC7F4A7
ChangeDisplaySettingsExW, xrefs: 00007FFB0BC7F365
NameUniqueId, xrefs: 00007FFB0BC7EE71

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Module_$Constant$AddressProc$Dict_ItemString$HandleLibraryLoadModule$FromLongLong_$CallerCreate2DictEnsure@@Globals_ReadyType_
String ID: Advapi32.dll$ChangeDisplaySettingsExW$EnumDisplayDevicesW$EnumDisplayMonitors$EnumDisplaySettingsExW$GetComputerNameExW$GetComputerObjectNameW$GetDllDirectoryW$GetHandleInformation$GetLastInputInfo$GetLongPathNameA$GetLongPathNameW$GetMonitorInfoW$GetNativeSystemInfo$GetSystemFileCacheSize$GetUserNameExW$GlobalMemoryStatusEx$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$NameCanonical$NameCanonicalEx$NameDisplay$NameFullyQualifiedDN$NameSamCompatible$NameServicePrincipal$NameUniqueId$NameUnknown$NameUserPrincipal$PyDISPLAY_DEVICEType$REG_NOTIFY_CHANGE_ATTRIBUTES$REG_NOTIFY_CHANGE_LAST_SET$REG_NOTIFY_CHANGE_NAME$REG_NOTIFY_CHANGE_SECURITY$RegCopyTreeW$RegCreateKeyTransactedW$RegDeleteKeyExW$RegDeleteKeyTransactedW$RegDeleteTreeW$RegOpenCurrentUser$RegOpenKeyTransactedW$RegOverridePredefKey$RegRestoreKeyW$RegSaveKeyExW$STD_ERROR_HANDLE$STD_INPUT_HANDLE$STD_OUTPUT_HANDLE$SetDllDirectoryW$SetHandleInformation$SetSystemFileCacheSize$SetSystemPowerState$VFT_APP$VFT_DLL$VFT_DRV$VFT_FONT$VFT_STATIC_LIB$VFT_UNKNOWN$VFT_VXD$VOS_DOS$VOS_DOS_WINDOWS16$VOS_DOS_WINDOWS32$VOS_NT$VOS_NT_WINDOWS32$VOS_OS216$VOS_OS216_PM16$VOS_OS232$VOS_OS232_PM32$VOS_UNKNOWN$VOS__PM16$VOS__PM32$VOS__WINDOWS16$VOS__WINDOWS32$VS_FF_DEBUG$VS_FF_INFOINFERRED$VS_FF_PATCHED$VS_FF_PRERELEASE$VS_FF_PRIVATEBUILD$VS_FF_SPECIALBUILD$error$kernel32.dll$secur32.dll$user32.dll
API String ID: 1655756704-685172649
Opcode ID: 63a8f0004610e5ca5fe4d8dfd7281fc188e588c0d7d7bbcec55101f3f079b9f9
Instruction ID: c0fd576773c95e4f98e1990ba566b2c0887660ee2ddd9a3682b122e80561df83
Opcode Fuzzy Hash: 63a8f0004610e5ca5fe4d8dfd7281fc188e588c0d7d7bbcec55101f3f079b9f9
Instruction Fuzzy Hash: F022DAE4A08B43B1EA249B35F99497423A1BF89B91F54E036D81FC7F34AF2CA509C355

Function 00007FFB0B0818C0 Relevance: 142.0, APIs: 44, Strings: 37, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyModule_Create2.PYTHON3 ref: 00007FFB0B0818EB
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFB0B081904

Part of subcall function 00007FFB0B0813D0: PyEval_SaveThread.PYTHON3 ref: 00007FFB0B0813DA
Part of subcall function 00007FFB0B0813D0: LoadLibraryA.KERNEL32 ref: 00007FFB0B0813EA
Part of subcall function 00007FFB0B0813D0: PyEval_RestoreThread.PYTHON3 ref: 00007FFB0B0813F6
Part of subcall function 00007FFB0B0813D0: PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB0B08140A

RtlGetVersion.NTDLL ref: 00007FFB0B081945
GetSystemInfo.KERNEL32 ref: 00007FFB0B0819C1
InitializeCriticalSection.KERNEL32 ref: 00007FFB0B0819CE
PyModule_GetState.PYTHON3 ref: 00007FFB0B0819E8
PyErr_NewException.PYTHON3 ref: 00007FFB0B0819FD
_Py_Dealloc.PYTHON3 ref: 00007FFB0B081A1B
PyErr_NewException.PYTHON3 ref: 00007FFB0B081A50
PyModule_AddObject.PYTHON3 ref: 00007FFB0B081A6D
PyErr_NewException.PYTHON3 ref: 00007FFB0B081A7F
PyModule_AddObject.PYTHON3 ref: 00007FFB0B081A9C
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081AB2
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081AC8
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081ADE
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081AF4
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081B0A
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081B20
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081B36
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081B49
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081B5F
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081B75
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081B8B
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081BA1
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081BB7
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081BCD
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081BE3
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081BF9
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081C0F
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081C25
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081C3B
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081C51
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081C67
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081C7D
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081C93
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081CA9
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081CBF
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081CD5
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081CEC
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081D02
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081D18
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081D2E
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081D44
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB0B081D5A

Strings

MIB_TCP_STATE_ESTAB, xrefs: 00007FFB0B081B97
MIB_TCP_STATE_SYN_SENT, xrefs: 00007FFB0B081BAD
WINDOWS_VISTA, xrefs: 00007FFB0B081CF8
BELOW_NORMAL_PRIORITY_CLASS, xrefs: 00007FFB0B081AD4
REALTIME_PRIORITY_CLASS, xrefs: 00007FFB0B081B2C
INFINITE, xrefs: 00007FFB0B081C73
MIB_TCP_STATE_SYN_RCVD, xrefs: 00007FFB0B081BC3
MIB_TCP_STATE_LAST_ACK, xrefs: 00007FFB0B081C05
TimeoutAbandoned, xrefs: 00007FFB0B081A85
ERROR_ACCESS_DENIED, xrefs: 00007FFB0B081C89
WINDOWS_7, xrefs: 00007FFB0B081D0E
HIGH_PRIORITY_CLASS, xrefs: 00007FFB0B081AEA
TimeoutExpired, xrefs: 00007FFB0B081A56
PSUTIL_DEBUG, xrefs: 00007FFB0B0818FD
_psutil_windows.TimeoutAbandoned, xrefs: 00007FFB0B081A76
ABOVE_NORMAL_PRIORITY_CLASS, xrefs: 00007FFB0B081ABE
IDLE_PRIORITY_CLASS, xrefs: 00007FFB0B081B00
WINDOWS_10, xrefs: 00007FFB0B081D50
MIB_TCP_STATE_DELETE_TCB, xrefs: 00007FFB0B081C47
WINVER, xrefs: 00007FFB0B081CE2
PSUTIL_CONN_NONE, xrefs: 00007FFB0B081C5D
ERROR_PRIVILEGE_NOT_HELD, xrefs: 00007FFB0B081CCB
MIB_TCP_STATE_CLOSED, xrefs: 00007FFB0B081B3F
MIB_TCP_STATE_CLOSING, xrefs: 00007FFB0B081B55
WINDOWS_8, xrefs: 00007FFB0B081D24
MIB_TCP_STATE_FIN_WAIT1, xrefs: 00007FFB0B081BD9
version, xrefs: 00007FFB0B081AA8
_psutil_windows.Error, xrefs: 00007FFB0B0819F1
MIB_TCP_STATE_TIME_WAIT, xrefs: 00007FFB0B081C1B, 00007FFB0B081C31
ERROR_INVALID_NAME, xrefs: 00007FFB0B081C9F
ERROR_SERVICE_DOES_NOT_EXIST, xrefs: 00007FFB0B081CB5
NORMAL_PRIORITY_CLASS, xrefs: 00007FFB0B081B16
MIB_TCP_STATE_CLOSE_WAIT, xrefs: 00007FFB0B081B6B
MIB_TCP_STATE_FIN_WAIT2, xrefs: 00007FFB0B081BEF
_psutil_windows.TimeoutExpired, xrefs: 00007FFB0B081A47
WINDOWS_8_1, xrefs: 00007FFB0B081D3A
MIB_TCP_STATE_LISTEN, xrefs: 00007FFB0B081B81

Memory Dump Source

Source File: 00000008.00000002.2567972107.00007FFB0B081000.00000020.00000001.01000000.00000035.sdmp, Offset: 00007FFB0B080000, based on PE: true

Associated: 00000008.00000002.2567932158.00007FFB0B080000.00000002.00000001.01000000.00000035.sdmpDownload File
Associated: 00000008.00000002.2568015008.00007FFB0B08B000.00000002.00000001.01000000.00000035.sdmpDownload File
Associated: 00000008.00000002.2568056324.00007FFB0B090000.00000004.00000001.01000000.00000035.sdmpDownload File
Associated: 00000008.00000002.2568096211.00007FFB0B091000.00000002.00000001.01000000.00000035.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b080000_Payload.jbxd

Similarity

API ID: Module_$Constant$Err_$Exception$Eval_ObjectThread$Create2CriticalDeallocFilenameFromInfoInitializeLibraryLoadRestoreSaveSectionStateSystemVersionWindowsWithgetenv
String ID: ABOVE_NORMAL_PRIORITY_CLASS$BELOW_NORMAL_PRIORITY_CLASS$ERROR_ACCESS_DENIED$ERROR_INVALID_NAME$ERROR_PRIVILEGE_NOT_HELD$ERROR_SERVICE_DOES_NOT_EXIST$HIGH_PRIORITY_CLASS$IDLE_PRIORITY_CLASS$INFINITE$MIB_TCP_STATE_CLOSED$MIB_TCP_STATE_CLOSE_WAIT$MIB_TCP_STATE_CLOSING$MIB_TCP_STATE_DELETE_TCB$MIB_TCP_STATE_ESTAB$MIB_TCP_STATE_FIN_WAIT1$MIB_TCP_STATE_FIN_WAIT2$MIB_TCP_STATE_LAST_ACK$MIB_TCP_STATE_LISTEN$MIB_TCP_STATE_SYN_RCVD$MIB_TCP_STATE_SYN_SENT$MIB_TCP_STATE_TIME_WAIT$NORMAL_PRIORITY_CLASS$PSUTIL_CONN_NONE$PSUTIL_DEBUG$REALTIME_PRIORITY_CLASS$TimeoutAbandoned$TimeoutExpired$WINDOWS_10$WINDOWS_7$WINDOWS_8$WINDOWS_8_1$WINDOWS_VISTA$WINVER$_psutil_windows.Error$_psutil_windows.TimeoutAbandoned$_psutil_windows.TimeoutExpired$version
API String ID: 887074641-2468274236
Opcode ID: 6efccafb7da625c96c85524e3565947ef2e24866e459a4feb39aadcde8a1da25
Instruction ID: ca8b64a200a6017a5351accced65229cea5f643c21fedc26d8eddf5f67fdbcad
Opcode Fuzzy Hash: 6efccafb7da625c96c85524e3565947ef2e24866e459a4feb39aadcde8a1da25
Instruction Fuzzy Hash: DDC1F8A5A18A0681FA509B31E954B783362AF49BE0F409035C98F87775FF6EE349C709

Function 00007FF698811000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF698813D35
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF698813882, 00007FF6988138AF
Failed to load splash screen resources!, xrefs: 00007FF698813E85
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF698813B32
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF698813EBB
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF698813A0B, 00007FF698813CD4, 00007FF698813F6B
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF698813D12
Py_GIL_DISABLED, xrefs: 00007FF698813AF4
_PYI_ARCHIVE_FILE, xrefs: 00007FF6988138D2, 00007FF6988139FF
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF698813971
MEI, xrefs: 00007FF698813933
Failed to start splash screen!, xrefs: 00007FF698813ED4
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF698813A17, 00007FF698813A2F, 00007FF698813A9B
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF698813C61
Failed to remove temporary directory: %s, xrefs: 00007FF698813FCF
pyi-contents-directory, xrefs: 00007FF698813B8D
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF698813E0A
_PYI_SPLASH_IPC, xrefs: 00007FF698813A23, 00007FF698813EF5
Could not create temporary directory!, xrefs: 00007FF698813CBF
pyi-disable-windowed-traceback, xrefs: 00007FF698813BB2
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6988139DE
pkg, xrefs: 00007FF6988139BE
pyi-python-flag, xrefs: 00007FF698813AD6
pyi-runtime-tmpdir, xrefs: 00007FF698813B68
VCRUNTIME140.dll, xrefs: 00007FF698813DB1
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF698813BE8
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF698813EA6
Failed to convert DLL search path!, xrefs: 00007FF698813DDC

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: 107d86b6642fb6af62d795093a4112b53bafaee1307e4147138b2a2b1ddb1bd8
Instruction ID: 4280c17f795015f707d91ba18a97d1c1327b72ca14284467ec2506408cd42c5a
Opcode Fuzzy Hash: 107d86b6642fb6af62d795093a4112b53bafaee1307e4147138b2a2b1ddb1bd8
Instruction Fuzzy Hash: 5F329C61A0C68291FA39DB30D7553B96761EF44780FC440BADA6DC36C6EF2CE959C328

Function 00007FFB0B081E90 Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyList_New.PYTHON3 ref: 00007FFB0B081EA0
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB0B081EF3
_Py_Dealloc.PYTHON3 ref: 00007FFB0B081F03
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0B081F11

Strings

psutil-debug [%s:%d]> , xrefs: 00007FFB0B081F61
NtQuerySystemInformation(SystemProcessorPerformanceInformation), xrefs: 00007FFB0B08200D
GetActiveProcessorCount() not available; using GetSystemInfo(), xrefs: 00007FFB0B081F7B
(ddddd), xrefs: 00007FFB0B082042
GetSystemInfo() failed to retrieve CPU count, xrefs: 00007FFB0B081FB4
psutil/arch/windows\cpu.c, xrefs: 00007FFB0B081F57

Memory Dump Source

Source File: 00000008.00000002.2567972107.00007FFB0B081000.00000020.00000001.01000000.00000035.sdmp, Offset: 00007FFB0B080000, based on PE: true

Associated: 00000008.00000002.2567932158.00007FFB0B080000.00000002.00000001.01000000.00000035.sdmpDownload File
Associated: 00000008.00000002.2568015008.00007FFB0B08B000.00000002.00000001.01000000.00000035.sdmpDownload File
Associated: 00000008.00000002.2568056324.00007FFB0B090000.00000004.00000001.01000000.00000035.sdmpDownload File
Associated: 00000008.00000002.2568096211.00007FFB0B091000.00000002.00000001.01000000.00000035.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b080000_Payload.jbxd

Similarity

API ID: DeallocErr_FromList_Windowsfree
String ID: (ddddd)$GetActiveProcessorCount() not available; using GetSystemInfo()$GetSystemInfo() failed to retrieve CPU count$NtQuerySystemInformation(SystemProcessorPerformanceInformation)$psutil-debug [%s:%d]> $psutil/arch/windows\cpu.c
API String ID: 2064544276-4027580629
Opcode ID: 3aba73f1beacce3b45a693e18e4e7de515b957251446303ddff290eb5a7b73cd
Instruction ID: ae7f1035dbea4b9420ab597adb546d3b528fb404c71a9ea6829e75f91e2bb723
Opcode Fuzzy Hash: 3aba73f1beacce3b45a693e18e4e7de515b957251446303ddff290eb5a7b73cd
Instruction Fuzzy Hash: A971C9B1A18B0186E6179B35E450A357365BF59B80B04C331E98FB2B71FF3CE5468704

Function 00007FFB0B087E20 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FFB0B087E57
OpenProcessToken.ADVAPI32 ref: 00007FFB0B087E6B
GetLastError.KERNEL32 ref: 00007FFB0B087E79
ImpersonateSelf.ADVAPI32 ref: 00007FFB0B087E89
OpenProcessToken.ADVAPI32 ref: 00007FFB0B087EB6

Part of subcall function 00007FFB0B081070: GetLastError.KERNEL32 ref: 00007FFB0B081092
Part of subcall function 00007FFB0B081070: PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB0B0810B5

Part of subcall function 00007FFB0B087D80: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB0B087D92
Part of subcall function 00007FFB0B087D80: fprintf.MSPDB140-MSVCRT ref: 00007FFB0B087DAF
Part of subcall function 00007FFB0B087D80: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB0B087DB9
Part of subcall function 00007FFB0B087D80: fprintf.MSPDB140-MSVCRT ref: 00007FFB0B087DC9
Part of subcall function 00007FFB0B087D80: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB0B087DD3
Part of subcall function 00007FFB0B087D80: fprintf.MSPDB140-MSVCRT ref: 00007FFB0B087DE3
Part of subcall function 00007FFB0B087D80: GetLastError.KERNEL32 ref: 00007FFB0B087DE8
Part of subcall function 00007FFB0B087D80: PyErr_WarnEx.PYTHON3 ref: 00007FFB0B087E0A

GetLastError.KERNEL32 ref: 00007FFB0B087ED6
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB0B087EFD

Strings

ImpersonateSelf, xrefs: 00007FFB0B087E93
OpenProcessToken, xrefs: 00007FFB0B087EC0, 00007FFB0B087EDC
SeDebugPrivilege, xrefs: 00007FFB0B087F2E
LookupPrivilegeValue, xrefs: 00007FFB0B087F47
AdjustTokenPrivileges, xrefs: 00007FFB0B087FBD, 00007FFB0B088024
(originated from %s), xrefs: 00007FFB0B087EE5, 00007FFB0B087F50, 00007FFB0B087FC6

Memory Dump Source

Source File: 00000008.00000002.2567972107.00007FFB0B081000.00000020.00000001.01000000.00000035.sdmp, Offset: 00007FFB0B080000, based on PE: true

Associated: 00000008.00000002.2567932158.00007FFB0B080000.00000002.00000001.01000000.00000035.sdmpDownload File
Associated: 00000008.00000002.2568015008.00007FFB0B08B000.00000002.00000001.01000000.00000035.sdmpDownload File
Associated: 00000008.00000002.2568056324.00007FFB0B090000.00000004.00000001.01000000.00000035.sdmpDownload File
Associated: 00000008.00000002.2568096211.00007FFB0B091000.00000002.00000001.01000000.00000035.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b080000_Payload.jbxd

Similarity

API ID: ErrorLast$Err_Process__acrt_iob_funcfprintf$FilenameFromOpenTokenWindowsWith$CurrentImpersonateSelfWarn
String ID: (originated from %s)$AdjustTokenPrivileges$ImpersonateSelf$LookupPrivilegeValue$OpenProcessToken$SeDebugPrivilege
API String ID: 2544101647-3705996988
Opcode ID: 7e459fa033e77e746eff1f6157e4fc365d5f228a077588dde54361fef94116c4
Instruction ID: ac9ee9f2571d1864ba3e53391dd7374685bc698c6f1df5bb2ae4997121f2b0bf
Opcode Fuzzy Hash: 7e459fa033e77e746eff1f6157e4fc365d5f228a077588dde54361fef94116c4
Instruction Fuzzy Hash: 9B513FB1A1CB4292E7509B31E840AA97365FF44784F508036E6CF86679FF7DE609CB48

Function 00007FF698835C00 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF698835C45

Part of subcall function 00007FF698835598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6988355AC

Part of subcall function 00007FF69882A948: RtlFreeHeap.NTDLL(?,?,?,00007FF698832D22,?,?,?,00007FF698832D5F,?,?,00000000,00007FF698833225,?,?,?,00007FF698833157), ref: 00007FF69882A95E
Part of subcall function 00007FF69882A948: GetLastError.KERNEL32(?,?,?,00007FF698832D22,?,?,?,00007FF698832D5F,?,?,00000000,00007FF698833225,?,?,?,00007FF698833157), ref: 00007FF69882A968

Part of subcall function 00007FF69882A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF69882A8DF,?,?,?,?,?,00007FF69882A7CA), ref: 00007FF69882A909
Part of subcall function 00007FF69882A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF69882A8DF,?,?,?,?,?,00007FF69882A7CA), ref: 00007FF69882A92E

_get_daylight.LIBCMT ref: 00007FF698835C34

Part of subcall function 00007FF6988355F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69883560C

_get_daylight.LIBCMT ref: 00007FF698835EAA
_get_daylight.LIBCMT ref: 00007FF698835EBB
_get_daylight.LIBCMT ref: 00007FF698835ECC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF69883610C), ref: 00007FF698835EF3

Strings

Eastern Summer Time, xrefs: 00007FF698835FB1
Eastern Standard Time, xrefs: 00007FF698835F99

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
Instruction ID: 6cf8cf743b263785518ddd497305f8e986d9ac35362b828cd396cbad772e12cd
Opcode Fuzzy Hash: 677ea417f3249c8bdb60afb6413c0575e0f743ff33606516b420b369f71394b1
Instruction Fuzzy Hash: 71D1E322B0864246E730EF36D6415B96761FF84B94FC481B7EA0DC7A96DF3CE8418768

Function 00007FF698836964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF698836698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6988366D9
Part of subcall function 00007FF698836698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF698836757
Part of subcall function 00007FF698836698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6988367A8

CreateFileW.KERNEL32 ref: 00007FF698836A6A
CreateFileW.KERNEL32 ref: 00007FF698836ABA
GetLastError.KERNEL32 ref: 00007FF698836AEA
GetFileType.KERNEL32 ref: 00007FF698836AFF
GetLastError.KERNEL32 ref: 00007FF698836B09
CloseHandle.KERNEL32 ref: 00007FF698836B3C
CloseHandle.KERNEL32 ref: 00007FF698836C9F
CreateFileW.KERNEL32 ref: 00007FF698836CD4
GetLastError.KERNEL32 ref: 00007FF698836CE3

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: 26226ba1d2418ae19d7d367596cfedbb1815d030458240a6a16bec5b423370d6
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: C9C1D476B28A4185EB24CF79C6902AC3761FB49BA8B811276DE1E977D4CF3CD452C314

Function 00007FF698835E7C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF698835EAA

Part of subcall function 00007FF6988355F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69883560C

_get_daylight.LIBCMT ref: 00007FF698835EBB

Part of subcall function 00007FF698835598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6988355AC

_get_daylight.LIBCMT ref: 00007FF698835ECC

Part of subcall function 00007FF6988355C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6988355DC

Part of subcall function 00007FF69882A948: RtlFreeHeap.NTDLL(?,?,?,00007FF698832D22,?,?,?,00007FF698832D5F,?,?,00000000,00007FF698833225,?,?,?,00007FF698833157), ref: 00007FF69882A95E
Part of subcall function 00007FF69882A948: GetLastError.KERNEL32(?,?,?,00007FF698832D22,?,?,?,00007FF698832D5F,?,?,00000000,00007FF698833225,?,?,?,00007FF698833157), ref: 00007FF69882A968

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF69883610C), ref: 00007FF698835EF3

Strings

Eastern Summer Time, xrefs: 00007FF698835FB1
Eastern Standard Time, xrefs: 00007FF698835F99

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
Instruction ID: ef0071557b77233d84558f00d21d4f6deffb955e669e193092d6c6572881ccb3
Opcode Fuzzy Hash: 179af59534a267e8b56f66eebf2dbf2058aebcf107c16e98e161f461d30bd41f
Instruction Fuzzy Hash: 02517332A1864286E730DF35D6815A96761FF48784FC041BAEA4EC7A96DF3CE8018768

Function 00007FF698819280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF6988192B3
FindClose.KERNEL32 ref: 00007FF6988192C2

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: ddff5973ea6b33d66c89ba01e36ccf27e0ca8687f9b7e67b3c77150880298f04
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: BEF0C822A1874186F7B08B74F9887AA7350FB84324F840735D97D82AD4DF7CD048CA08

Function 00007FFB0A8F56E0 Relevance: 91.2, APIs: 38, Strings: 14, Instructions: 214
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyUnicode_InternFromString.PYTHON311 ref: 00007FFB0A8F56ED
PyType_Ready.PYTHON311 ref: 00007FFB0A8F5717
PyType_Ready.PYTHON311 ref: 00007FFB0A8F572C
PyType_Ready.PYTHON311 ref: 00007FFB0A8F5741
PyType_Ready.PYTHON311 ref: 00007FFB0A8F5764
PyType_Ready.PYTHON311 ref: 00007FFB0A8F5779
PyType_Ready.PYTHON311 ref: 00007FFB0A8F578E
PyType_Ready.PYTHON311 ref: 00007FFB0A8F57A3
PyType_Ready.PYTHON311 ref: 00007FFB0A8F57B8
PyImport_ImportModule.PYTHON311 ref: 00007FFB0A8F57CD
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F57E9
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8F5808
PyImport_ImportModule.PYTHON311 ref: 00007FFB0A8F5815
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F5831
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8F5850
PyImport_ImportModule.PYTHON311 ref: 00007FFB0A8F585D
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F5879
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8F5898
PyImport_ImportModule.PYTHON311 ref: 00007FFB0A8F58A5
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F58BE
PyObject_CallMethod.PYTHON311 ref: 00007FFB0A8F58F0
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8F5908
PyObject_CallMethod.PYTHON311 ref: 00007FFB0A8F592A
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8F5942
PyObject_CallMethod.PYTHON311 ref: 00007FFB0A8F5964
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8F597C
PyObject_CallMethod.PYTHON311 ref: 00007FFB0A8F599E
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8F59B6
PyModule_Create2.PYTHON311 ref: 00007FFB0A8F59C8
PyModule_AddObject.PYTHON311 ref: 00007FFB0A8F59E9
PyModule_AddObject.PYTHON311 ref: 00007FFB0A8F5A0F
PyModule_AddObject.PYTHON311 ref: 00007FFB0A8F5A31
PyModule_AddObject.PYTHON311 ref: 00007FFB0A8F5A53
PyModule_AddObject.PYTHON311 ref: 00007FFB0A8F5A75
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8F5A9A
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8F5AB2
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8F5ACA
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8F5AE2

Part of subcall function 00007FFB0A8F2BE0: PyImport_ImportModule.PYTHON311 ref: 00007FFB0A8F2BED
Part of subcall function 00007FFB0A8F2BE0: PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2C09
Part of subcall function 00007FFB0A8F2BE0: PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2C29
Part of subcall function 00007FFB0A8F2BE0: PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2C49
Part of subcall function 00007FFB0A8F2BE0: PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2C69
Part of subcall function 00007FFB0A8F2BE0: PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2C89
Part of subcall function 00007FFB0A8F2BE0: PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2CA9
Part of subcall function 00007FFB0A8F2BE0: PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2CC9
Part of subcall function 00007FFB0A8F2BE0: PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2CE9
Part of subcall function 00007FFB0A8F2BE0: PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2D09
Part of subcall function 00007FFB0A8F2BE0: PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2D29
Part of subcall function 00007FFB0A8F2BE0: PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2D49
Part of subcall function 00007FFB0A8F2BE0: PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2D69
Part of subcall function 00007FFB0A8F2BE0: PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2D89
Part of subcall function 00007FFB0A8F2BE0: PyType_Ready.PYTHON311 ref: 00007FFB0A8F2DA6
Part of subcall function 00007FFB0A8F2BE0: PyType_Ready.PYTHON311 ref: 00007FFB0A8F2DBB
Part of subcall function 00007FFB0A8F2BE0: PyType_Ready.PYTHON311 ref: 00007FFB0A8F2DD0

Strings

istr, xrefs: 00007FFB0A8F59DF
CIMultiDict, xrefs: 00007FFB0A8F5A27
_mdrepr, xrefs: 00007FFB0A8F58B4
Mapping, xrefs: 00007FFB0A8F57DF
MultiDictProxy, xrefs: 00007FFB0A8F5A49
collections.abc, xrefs: 00007FFB0A8F57C6
MutableMultiMapping, xrefs: 00007FFB0A8F586F
register, xrefs: 00007FFB0A8F58E9, 00007FFB0A8F5923, 00007FFB0A8F595D, 00007FFB0A8F5997
MultiDict, xrefs: 00007FFB0A8F5A05
CIMultiDictProxy, xrefs: 00007FFB0A8F5A6B
multidict._multidict_base, xrefs: 00007FFB0A8F589E
MultiMapping, xrefs: 00007FFB0A8F5827
lower, xrefs: 00007FFB0A8F56E6
multidict._abc, xrefs: 00007FFB0A8F580E, 00007FFB0A8F5856

Memory Dump Source

Source File: 00000008.00000002.2566818563.00007FFB0A8F1000.00000020.00000001.01000000.00000037.sdmp, Offset: 00007FFB0A8F0000, based on PE: true

Associated: 00000008.00000002.2566791091.00007FFB0A8F0000.00000002.00000001.01000000.00000037.sdmpDownload File
Associated: 00000008.00000002.2566847583.00007FFB0A8F7000.00000002.00000001.01000000.00000037.sdmpDownload File
Associated: 00000008.00000002.2566872670.00007FFB0A8FA000.00000004.00000001.01000000.00000037.sdmpDownload File
Associated: 00000008.00000002.2566897711.00007FFB0A8FD000.00000002.00000001.01000000.00000037.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8f0000_Payload.jbxd

Similarity

API ID: Object_$String$Attr$DeallocReadyType_$Module_$ImportImport_ModuleObject$CallMethod$Create2FromInternUnicode_
String ID: CIMultiDict$CIMultiDictProxy$Mapping$MultiDict$MultiDictProxy$MultiMapping$MutableMultiMapping$_mdrepr$collections.abc$istr$lower$multidict._abc$multidict._multidict_base$register
API String ID: 944784396-2208273230
Opcode ID: 08c51095a8802f7f569480ea8c344894e709f3f0af8f68b762f76c56697bc3f2
Instruction ID: aaa52aecf5a7eea5ad9f78de9100e5f7f34688a5076a66096c1ef88251138444
Opcode Fuzzy Hash: 08c51095a8802f7f569480ea8c344894e709f3f0af8f68b762f76c56697bc3f2
Instruction Fuzzy Hash: 0BB19DE6E09B0795FE199B31EC94D7423ACBF45B95F950CF6C80E422A0EE2CE569C350

Function 00007FFB0B0813D0 Relevance: 89.5, APIs: 27, Strings: 24, Instructions: 229
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyEval_SaveThread.PYTHON3 ref: 00007FFB0B0813DA
LoadLibraryA.KERNEL32 ref: 00007FFB0B0813EA
PyEval_RestoreThread.PYTHON3 ref: 00007FFB0B0813F6
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB0B08140A
GetProcAddress.KERNEL32 ref: 00007FFB0B08141C
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB0B081430
FreeLibrary.KERNEL32 ref: 00007FFB0B081439
GetModuleHandleA.KERNEL32 ref: 00007FFB0B081466
GetProcAddress.KERNEL32 ref: 00007FFB0B081484
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB0B081498
GetModuleHandleA.KERNEL32 ref: 00007FFB0B0814C5
GetProcAddress.KERNEL32 ref: 00007FFB0B0814E3
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB0B0814F7
PyEval_SaveThread.PYTHON3 ref: 00007FFB0B08151D
LoadLibraryA.KERNEL32 ref: 00007FFB0B08152D
PyEval_RestoreThread.PYTHON3 ref: 00007FFB0B081539
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB0B08154D
GetProcAddress.KERNEL32 ref: 00007FFB0B081574
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB0B081588
FreeLibrary.KERNEL32 ref: 00007FFB0B081591

Strings

RtlNtStatusToDosErrorNoTeb, xrefs: 00007FFB0B0816AC
NtQueryInformationProcess, xrefs: 00007FFB0B08147A, 00007FFB0B08148F
NtSuspendProcess, xrefs: 00007FFB0B081643
GetExtendedUdpTable, xrefs: 00007FFB0B0815FD
RtlGetVersion, xrefs: 00007FFB0B081620
GetTickCount64, xrefs: 00007FFB0B0816EA, 00007FFB0B0816FF
iphlpapi.dll, xrefs: 00007FFB0B0815E1, 00007FFB0B081604
NtResumeProcess, xrefs: 00007FFB0B081666
GetLogicalProcessorInformationEx, xrefs: 00007FFB0B081792
kernel32, xrefs: 00007FFB0B0816CF, 00007FFB0B0816E1, 00007FFB0B081751, 00007FFB0B081763, 00007FFB0B0817A0
ntdll.dll, xrefs: 00007FFB0B0813E0, 00007FFB0B081401, 00007FFB0B081458, 00007FFB0B081471, 00007FFB0B0814B7, 00007FFB0B0814D0, 00007FFB0B081523, 00007FFB0B081544, 00007FFB0B0815BE, 00007FFB0B081627, 00007FFB0B081735
GetExtendedTcpTable, xrefs: 00007FFB0B0815DA
NtQueryObject, xrefs: 00007FFB0B08156A, 00007FFB0B08157F
wtsapi32.dll, xrefs: 00007FFB0B0817BA, 00007FFB0B0817D4, 00007FFB0B0817EE
WTSEnumerateSessionsW, xrefs: 00007FFB0B0817AC
RtlIpv4AddressToStringA, xrefs: 00007FFB0B0815B0
NtQuerySystemInformation, xrefs: 00007FFB0B081412, 00007FFB0B081427
NtQueryVirtualMemory, xrefs: 00007FFB0B081689
RtlIpv6AddressToStringA, xrefs: 00007FFB0B081727
NtSetInformationProcess, xrefs: 00007FFB0B0814D9, 00007FFB0B0814EE
WTSQuerySessionInformationW, xrefs: 00007FFB0B0817C6
WTSFreeMemory, xrefs: 00007FFB0B0817E0
ntdll, xrefs: 00007FFB0B08164A, 00007FFB0B08166D, 00007FFB0B081690, 00007FFB0B0816B3
GetActiveProcessorCount, xrefs: 00007FFB0B08176C, 00007FFB0B081781

Memory Dump Source

Source File: 00000008.00000002.2567972107.00007FFB0B081000.00000020.00000001.01000000.00000035.sdmp, Offset: 00007FFB0B080000, based on PE: true

Associated: 00000008.00000002.2567932158.00007FFB0B080000.00000002.00000001.01000000.00000035.sdmpDownload File
Associated: 00000008.00000002.2568015008.00007FFB0B08B000.00000002.00000001.01000000.00000035.sdmpDownload File
Associated: 00000008.00000002.2568056324.00007FFB0B090000.00000004.00000001.01000000.00000035.sdmpDownload File
Associated: 00000008.00000002.2568096211.00007FFB0B091000.00000002.00000001.01000000.00000035.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b080000_Payload.jbxd

Similarity

API ID: Err_FilenameFromWindowsWith$AddressEval_LibraryProcThread$FreeHandleLoadModuleRestoreSave
String ID: GetActiveProcessorCount$GetExtendedTcpTable$GetExtendedUdpTable$GetLogicalProcessorInformationEx$GetTickCount64$NtQueryInformationProcess$NtQueryObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtResumeProcess$NtSetInformationProcess$NtSuspendProcess$RtlGetVersion$RtlIpv4AddressToStringA$RtlIpv6AddressToStringA$RtlNtStatusToDosErrorNoTeb$WTSEnumerateSessionsW$WTSFreeMemory$WTSQuerySessionInformationW$iphlpapi.dll$kernel32$ntdll$ntdll.dll$wtsapi32.dll
API String ID: 3787047288-761253638
Opcode ID: 6b7c78cd98652e75907c508de1284e9f0e804c7fc3037098929c04c6a191e3dd
Instruction ID: c926cfe3bbc7de125d193c763179f0cc535541a460dad00d078d5de5ffbd1d44
Opcode Fuzzy Hash: 6b7c78cd98652e75907c508de1284e9f0e804c7fc3037098929c04c6a191e3dd
Instruction Fuzzy Hash: 04C1A1A0A09B0790FA549B34F85497933A1AF48754F84D435C48FCA2B5FF6EE65AC348

Function 00007FFB0A8F2BE0 Relevance: 68.4, APIs: 25, Strings: 14, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyImport_ImportModule.PYTHON311 ref: 00007FFB0A8F2BED
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2C09
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2C29
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2C49
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2C69
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2C89
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2CA9
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2CC9
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2CE9
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2D09
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2D29
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2D49
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2D69
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8F2D89
PyType_Ready.PYTHON311 ref: 00007FFB0A8F2DA6
PyType_Ready.PYTHON311 ref: 00007FFB0A8F2DBB
PyType_Ready.PYTHON311 ref: 00007FFB0A8F2DD0
PyObject_CallFunctionObjArgs.PYTHON311 ref: 00007FFB0A8F2DEF
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8F2E03
PyObject_CallFunctionObjArgs.PYTHON311 ref: 00007FFB0A8F2E1A
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8F2E2E
PyObject_CallFunctionObjArgs.PYTHON311 ref: 00007FFB0A8F2E45
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8F2E59
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8F2E68
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8F2E7F

Strings

_viewbaseset_and, xrefs: 00007FFB0A8F2C1F
_abc_keysview_register, xrefs: 00007FFB0A8F2CBF
_abc_valuesview_register, xrefs: 00007FFB0A8F2CDF
_itemsview_repr, xrefs: 00007FFB0A8F2D1F
_viewbaseset_richcmp, xrefs: 00007FFB0A8F2BFF
_viewbaseset_xor, xrefs: 00007FFB0A8F2C7F
_viewbaseset_or, xrefs: 00007FFB0A8F2C3F
multidict._multidict_base, xrefs: 00007FFB0A8F2BE6
_abc_itemsview_register, xrefs: 00007FFB0A8F2C9F
_viewbaseset_sub, xrefs: 00007FFB0A8F2C5F
_keysview_repr, xrefs: 00007FFB0A8F2D3F
_keysview_isdisjoint, xrefs: 00007FFB0A8F2D5F
_itemsview_isdisjoint, xrefs: 00007FFB0A8F2CFF
_valuesview_repr, xrefs: 00007FFB0A8F2D7F

Memory Dump Source

Source File: 00000008.00000002.2566818563.00007FFB0A8F1000.00000020.00000001.01000000.00000037.sdmp, Offset: 00007FFB0A8F0000, based on PE: true

Associated: 00000008.00000002.2566791091.00007FFB0A8F0000.00000002.00000001.01000000.00000037.sdmpDownload File
Associated: 00000008.00000002.2566847583.00007FFB0A8F7000.00000002.00000001.01000000.00000037.sdmpDownload File
Associated: 00000008.00000002.2566872670.00007FFB0A8FA000.00000004.00000001.01000000.00000037.sdmpDownload File
Associated: 00000008.00000002.2566897711.00007FFB0A8FD000.00000002.00000001.01000000.00000037.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8f0000_Payload.jbxd

Similarity

API ID: Object_$AttrString$Dealloc$ArgsCallFunctionReadyType_$ImportImport_Module
String ID: _abc_itemsview_register$_abc_keysview_register$_abc_valuesview_register$_itemsview_isdisjoint$_itemsview_repr$_keysview_isdisjoint$_keysview_repr$_valuesview_repr$_viewbaseset_and$_viewbaseset_or$_viewbaseset_richcmp$_viewbaseset_sub$_viewbaseset_xor$multidict._multidict_base
API String ID: 332009191-771933236
Opcode ID: 3886260fe7dc88bbf78af91203f12f46d8feca2923286ea4ea632ab2d0c9c1a3
Instruction ID: 6dc68033a7aa9f24137de239a788d1b328b2f46213a4d3b5067ec0c30badb327
Opcode Fuzzy Hash: 3886260fe7dc88bbf78af91203f12f46d8feca2923286ea4ea632ab2d0c9c1a3
Instruction Fuzzy Hash: 5261C0E6E1AB0781FE199B35E854D7023ADBF49B84B985CB4C85E063A4FF3CE558C250

Function 00007FF698811950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF698817F90: _fread_nolock.LIBCMT ref: 00007FF69881803A

_fread_nolock.LIBCMT ref: 00007FF698811A1B

Part of subcall function 00007FF698812910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF698811B6A), ref: 00007FF69881295E

Strings

calloc, xrefs: 00007FF698811A68
Failed to seek to cookie position!, xrefs: 00007FF6988119EE
Could not allocate buffer for TOC!, xrefs: 00007FF698811B1B
Failed to read cookie!, xrefs: 00007FF698811A2B
fseek, xrefs: 00007FF6988119F5
MEI, xrefs: 00007FF698811991
Could not read full TOC!, xrefs: 00007FF698811B55
Could not allocate memory for archive structure!, xrefs: 00007FF698811A61
fread, xrefs: 00007FF698811A32, 00007FF698811B5C
Error on file., xrefs: 00007FF698811B8D
malloc, xrefs: 00007FF698811B22

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: ed5d37bd12c92faad5b6bf746ee66ab535d4fcd70a2e81ebf99a2f5a44e873f3
Instruction ID: f9a33e1feb2fd033e9059db8300639be821e28563b988a972ab9653916c6be6c
Opcode Fuzzy Hash: ed5d37bd12c92faad5b6bf746ee66ab535d4fcd70a2e81ebf99a2f5a44e873f3
Instruction Fuzzy Hash: A881C675B0DA8686EB30DB34D2406F92390EF84784FC05472E99DC778ADE3CE5858768

Function 00007FF698812180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDC.USER32 ref: 00007FF6988121AB
SelectObject.GDI32 ref: 00007FF6988121F2
DrawTextW.USER32 ref: 00007FF698812215
SelectObject.GDI32 ref: 00007FF69881222B
ReleaseDC.USER32 ref: 00007FF69881223B
MoveWindow.USER32 ref: 00007FF69881228B
MoveWindow.USER32 ref: 00007FF6988122CB
MoveWindow.USER32 ref: 00007FF69881231E
MoveWindow.USER32 ref: 00007FF698812366

Strings

P%, xrefs: 00007FF6988121FF

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 63b41d118fb7d7e99b91d17ebab4e07e6ce4284066f164aba361a6d8aacdcfb1
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 8651F566604BA186D6349F36E4181BAB7A1FB98B65F004132EFDE83694DF3CD085DB24

Function 00007FF698811470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6988115DF
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF698811518
fseek, xrefs: 00007FF6988114E5
Failed to extract %s: failed to open archive file!, xrefs: 00007FF69881149F
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6988114DE
fread, xrefs: 00007FF6988115E6
malloc, xrefs: 00007FF69881151F

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: d05b6496b5af748bebfea94a6d4e4a606a9eebb406293e4b0ad9cb08ca487f3b
Instruction ID: eaaa19a7b087f357a4877b198cc5b35318de3887819220f72639901a103be0a1
Opcode Fuzzy Hash: d05b6496b5af748bebfea94a6d4e4a606a9eebb406293e4b0ad9cb08ca487f3b
Instruction Fuzzy Hash: D0419D66B0864286EB20DB3196405F96390FF847D4FC458B2ED1D87B9ADF3CE902C728

Function 00007FF698811210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF69881141E
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6988112EF
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6988112BA
1.3.1, xrefs: 00007FF698811249
malloc, xrefs: 00007FF6988112C1, 00007FF6988112F6
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF698811276

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: a2c136f2dc630e8bd9ba9f433a9a55eed43a6e2fd02c79a9c85d053d34a5d002
Instruction ID: bd516fbbba4d4358309bb4be44fbcebe1502822783f8984094e0a8730f6bbd21
Opcode Fuzzy Hash: a2c136f2dc630e8bd9ba9f433a9a55eed43a6e2fd02c79a9c85d053d34a5d002
Instruction Fuzzy Hash: 0B511826A0864285EA70DB31E6403BA6291FF84B94FC44175ED5DC7BC9EF3CE942C728

Function 00007FF6988136B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF698813804), ref: 00007FF6988136E1
GetLastError.KERNEL32(?,00007FF698813804), ref: 00007FF6988136EB

Part of subcall function 00007FF698812C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF698813706,?,00007FF698813804), ref: 00007FF698812C9E
Part of subcall function 00007FF698812C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF698813706,?,00007FF698813804), ref: 00007FF698812D63
Part of subcall function 00007FF698812C50: MessageBoxW.USER32 ref: 00007FF698812D99

Strings

GetModuleFileNameW, xrefs: 00007FF6988136FA
\\?\, xrefs: 00007FF69881375A
Failed to convert executable path to UTF-8., xrefs: 00007FF698813790
Failed to resolve full path to executable %ls., xrefs: 00007FF698813739
Failed to obtain executable path., xrefs: 00007FF6988136F3

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: 446c4032bb2c8d13c6f77325513025ec191d39068fdb2c74db9cb926548091fb
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: DB219261B1864281FA309734EA543F62351FF98398FC005B6E66EC39D5EF2CE505C328

Function 00007FF69882BA5C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69882BE89

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c3f57b6cd1f658b3a1cfdd45bc75f21d2f6c8be166295f0eb40444005b392bd6
Instruction ID: 90bbb4a0dd664e453a9aa3597f989752f9e87bc45167babf0238c9b30c43a5b7
Opcode Fuzzy Hash: c3f57b6cd1f658b3a1cfdd45bc75f21d2f6c8be166295f0eb40444005b392bd6
Instruction Fuzzy Hash: 00C1E622A0D686D1E7719B3592402BD3798FF81BD0FD541B1EA4E83396CF7CE8468728

Function 00007FF698816360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF698816407
ucrtbase.dll, xrefs: 00007FF6988163DD
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF698816456
LoadLibrary, xrefs: 00007FF6988164AE
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6988163C7
Failed to load Python DLL '%ls'., xrefs: 00007FF6988164A7

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 6bfffda2f71952109638076ae884e7e5d57c5dcfa62dc35d578edba97c4b3a9f
Instruction ID: 534247d2cabc2f62a3b3a6eeef12cece03a0fa51f0effd5a13ef7a6b1012746d
Opcode Fuzzy Hash: 6bfffda2f71952109638076ae884e7e5d57c5dcfa62dc35d578edba97c4b3a9f
Instruction Fuzzy Hash: 5241A371B18A8791EA31DB34E6581EA7316FF44344FC00172EAAD83695EF3CE605C364

Function 00007FFB0B0812C0 Relevance: 10.5, APIs: 7, Instructions: 37librarythreadloaderCOMMON

Download Yara Rule

APIs

PyEval_SaveThread.PYTHON3 ref: 00007FFB0B0812DA
LoadLibraryA.KERNEL32 ref: 00007FFB0B0812E6
PyEval_RestoreThread.PYTHON3 ref: 00007FFB0B0812F2
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB0B081302
GetProcAddress.KERNEL32 ref: 00007FFB0B081310
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB0B081320
FreeLibrary.KERNEL32 ref: 00007FFB0B081329

Memory Dump Source

Source File: 00000008.00000002.2567972107.00007FFB0B081000.00000020.00000001.01000000.00000035.sdmp, Offset: 00007FFB0B080000, based on PE: true

Associated: 00000008.00000002.2567932158.00007FFB0B080000.00000002.00000001.01000000.00000035.sdmpDownload File
Associated: 00000008.00000002.2568015008.00007FFB0B08B000.00000002.00000001.01000000.00000035.sdmpDownload File
Associated: 00000008.00000002.2568056324.00007FFB0B090000.00000004.00000001.01000000.00000035.sdmpDownload File
Associated: 00000008.00000002.2568096211.00007FFB0B091000.00000002.00000001.01000000.00000035.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b080000_Payload.jbxd

Similarity

API ID: Err_Eval_FilenameFromLibraryThreadWindowsWith$AddressFreeLoadProcRestoreSave
String ID:
API String ID: 568911590-0
Opcode ID: e2200b3415209b6f4be3470a672ca2eac9ae6c36c8dafb9bbec9a9066c3d2c4c
Instruction ID: b72bbdc3d0ccfba40c126e204906d9b4dad3e97aee82bbe16380558fc5be4ac7
Opcode Fuzzy Hash: e2200b3415209b6f4be3470a672ca2eac9ae6c36c8dafb9bbec9a9066c3d2c4c
Instruction Fuzzy Hash: D3011AA0A18A4681EA549B32F90853E7261FF48FD1B449034D98F8BB79EE3DD1428308

Function 00007FF698812390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6988123C8
DialogBoxIndirectParamW.USER32 ref: 00007FF69881248E
DeleteObject.GDI32 ref: 00007FF6988124C1
DestroyIcon.USER32 ref: 00007FF6988124D3

Strings

Unhandled exception in script, xrefs: 00007FF6988123F8

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 3b326f38696452fedce944a8216705a7f012b21920c96e855d1ab8eaac442c5d
Instruction ID: c93b6ae57d08ebada86ee2832dd9cd39f35c660483dbd0b95a03066187bc652d
Opcode Fuzzy Hash: 3b326f38696452fedce944a8216705a7f012b21920c96e855d1ab8eaac442c5d
Instruction Fuzzy Hash: 94319372A19A8289EB30EF31E9552F96364FF88788F840176EA4E87B49DF3CD501C714

Function 00007FFB0B081DC0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49timeCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32 ref: 00007FFB0B081DD3
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB0B081DDF
Py_BuildValue.PYTHON3 ref: 00007FFB0B081E82

Strings

(ddd), xrefs: 00007FFB0B081DF4

Memory Dump Source

Source File: 00000008.00000002.2567972107.00007FFB0B081000.00000020.00000001.01000000.00000035.sdmp, Offset: 00007FFB0B080000, based on PE: true

Associated: 00000008.00000002.2567932158.00007FFB0B080000.00000002.00000001.01000000.00000035.sdmpDownload File
Associated: 00000008.00000002.2568015008.00007FFB0B08B000.00000002.00000001.01000000.00000035.sdmpDownload File
Associated: 00000008.00000002.2568056324.00007FFB0B090000.00000004.00000001.01000000.00000035.sdmpDownload File
Associated: 00000008.00000002.2568096211.00007FFB0B091000.00000002.00000001.01000000.00000035.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b080000_Payload.jbxd

Similarity

API ID: BuildErr_FromSystemTimesValueWindows
String ID: (ddd)
API String ID: 2325294781-2401937087
Opcode ID: ba0bdbf672466f0367906313a703a410643c45962e3f53d94245850bb14888e0
Instruction ID: 88765b9d73003a4a407255ff97eb14a3170a76efb28fe722b4c45476342f0396
Opcode Fuzzy Hash: ba0bdbf672466f0367906313a703a410643c45962e3f53d94245850bb14888e0
Instruction Fuzzy Hash: 90118471A29E414FC553D735D980926E3A5AFAA790B44C322F54FF5E60FB2CE1978B00

Function 00007FF69882F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF69882FA7C
_get_daylight.LIBCMT ref: 00007FF69882FA8D
_get_daylight.LIBCMT ref: 00007FF69882FA9E
_isindst.LIBCMT ref: 00007FF69882FB69

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: 5270318cfc24efb3d7287fe5e256977253d1c2dfa1fa265302251ba89fbc40f9
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: A051F173F042128AEB38DF749A616BC26A5EB443A8F900275DD1E96AE5DF3CA403C714

Function 00007FF69882577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF6988257AF
GetFileInformationByHandle.KERNEL32 ref: 00007FF698825811
GetLastError.KERNEL32 ref: 00007FF6988258A2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6988256B4), ref: 00007FF6988258EE

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: f2931e55a17fed7c801103cab28c1f7fd047901bf7fa79ea6702d423310ad099
Instruction ID: 8ed25a25b3047b9e8649dd0e0eb557b5f9b7445e9d0c036dc72a7c16a90cbfd2
Opcode Fuzzy Hash: f2931e55a17fed7c801103cab28c1f7fd047901bf7fa79ea6702d423310ad099
Instruction Fuzzy Hash: F7519B22E086418AFBB0CF71D6503BD27A1FB48B98F908435EE1D9B689DF7CD4428324

Function 00007FF698825628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698825655
CreateFileW.KERNEL32 ref: 00007FF698825694
CloseHandle.KERNEL32 ref: 00007FF6988256C9

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
Instruction ID: 876a4d216e73bc57d65d686cd0e336fd23a445dadb9df53ef0535b2787ba4d78
Opcode Fuzzy Hash: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
Instruction Fuzzy Hash: 7C41C222E5878183F7608B3096103797360FB947A4F908375EA9C83AD5DF7CA4E18724

Function 00007FF6988120C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6988120F4
SetWindowLongPtrW.USER32 ref: 00007FF698812116
GetWindowLongPtrW.USER32 ref: 00007FF698812140
InvalidateRect.USER32 ref: 00007FF698812160

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 4a8195d49374cc18503fd851b7d13e8d6857281aa17e027c0ca53a1c129e4b64
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: DF110C21F0C14242F764D779F7442795251EF84794FC44171EB5987B89CE3DE8D1821C

Function 00007FF69881CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69881CE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF69881CE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF69881CC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF69881CCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF69881CD21

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: a98f593ef5a6c5afe46bcaa0bccfae7a6357be906c93d31ef3570f7af1f27261
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: F2315A21E4C24341FA74AB74DB953B91282EF41784FC454B5E92EC72D3DE6CA805C27D

Function 00007FF69882013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698820180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698820277

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: 7fea09f21f25048b3f3ff633af3c0792c64c2977c23cbc64722ef0031cc229cf
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: E1513821B29242C6F738DA36960467A6681FF84BE4F984775DD6DC37C6CF3CD4029628

Function 00007FF69882C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF69882C2CD), ref: 00007FF69882C180
GetLastError.KERNEL32(?,?,?,?,?,00007FF69882C2CD), ref: 00007FF69882C18A

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: 0dab18549605feaf175ea5f7ac05febaf0e6fa4f78421aafca074e5ae72d1337
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: 8B11B261608A8181DA30CB35AA141796362EB45FF4F944371EE7D877D9CF7CD4528714

Function 00007FF698825924 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF698825839), ref: 00007FF698825957
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF698825839), ref: 00007FF69882596D

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
Instruction ID: baecb31641baa73108a223af5ea28ed8d680995eec0c540b3d79548b8d0bc3cf
Opcode Fuzzy Hash: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
Instruction Fuzzy Hash: E311A37260C71282EB748B24F55107AB7A0FB847B1F900276FAADC59D8EF2CD815DB24

Function 00007FF69882A948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF698832D22,?,?,?,00007FF698832D5F,?,?,00000000,00007FF698833225,?,?,?,00007FF698833157), ref: 00007FF69882A95E
GetLastError.KERNEL32(?,?,?,00007FF698832D22,?,?,?,00007FF698832D5F,?,?,00000000,00007FF698833225,?,?,?,00007FF698833157), ref: 00007FF69882A968

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction ID: d49dcc89b00f18be24a1a40a644c028aaee82f6c4d9fdf72a7665442f769153b
Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction Fuzzy Hash: AFE08650F0960252FF355BF29A551381295EF84780FC400B5D81DC6291DD2C6C878738

Function 00007FF69882AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF69882A9D5,?,?,00000000,00007FF69882AA8A), ref: 00007FF69882ABC6
GetLastError.KERNEL32(?,?,?,00007FF69882A9D5,?,?,00000000,00007FF69882AA8A), ref: 00007FF69882ABD0

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: 36b048a5619d8e5ba8078d2f66dddcf86821e9461f632968e5540eda9d74ecaf
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: 39219611B1868251FEB46771975477D1282DF847E0F8442F9D92EC77D5CF6CA4438328

Function 00007FFB0B0F0180 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FFB0B0F01A5

Memory Dump Source

Source File: 00000008.00000002.2569016727.00007FFB0B0E1000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFB0B0E0000, based on PE: true

Associated: 00000008.00000002.2568969981.00007FFB0B0E0000.00000002.00000001.01000000.00000020.sdmpDownload File
Associated: 00000008.00000002.2569256358.00007FFB0B20E000.00000002.00000001.01000000.00000020.sdmpDownload File
Associated: 00000008.00000002.2569333263.00007FFB0B23B000.00000004.00000001.01000000.00000020.sdmpDownload File
Associated: 00000008.00000002.2569383006.00007FFB0B240000.00000002.00000001.01000000.00000020.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b0e0000_Payload.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: b0054afb10e4f66619171edf603becae74e7afe6d3d72f3cb96377bce576b712
Instruction ID: d2704f0a4ed43652a4c6b260ecd3c82e712f1d37714722337af50389b6c8ea71
Opcode Fuzzy Hash: b0054afb10e4f66619171edf603becae74e7afe6d3d72f3cb96377bce576b712
Instruction Fuzzy Hash: 20A117E2E0EB4782FE959F61E954F7866A5BF44F80F148535C80F86BB1FF6CA4918204

Function 00007FF69882BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69882BED4

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: 755d85f2ec99117e9cf7b1d345e30b80b7da48ff4cfa6fa9100dd96638b9cca7
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: DA41B132919242C7EA348A39A64027973A8EF557C0F940171DBCEC36D5CF3CE4038B64

Function 00007FF698817F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF69881803A

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 646aed39ea6f17e541e63cd65dc88b0faf9ba06fd308515a24b2227d087293ad
Instruction ID: 829e6e34a88490aaf2f5824f5af58290f2707ec77243744e8fc0365c68ff7e6d
Opcode Fuzzy Hash: 646aed39ea6f17e541e63cd65dc88b0faf9ba06fd308515a24b2227d087293ad
Instruction Fuzzy Hash: 9921D321B1865646FA34AA326A053BAA751FF45FC4FC844B0EE1D87786CE7DE443C328

Function 00007FF69882B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69882B9C2

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction ID: 61c0e60914a8c0a722a39409b1ace7db4271f10fb9346df8e680d652ae7f4a61
Opcode Fuzzy Hash: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction Fuzzy Hash: 24317E22A1961285F6315B758A4137C2694FF80BE0FC101B5EA1D833D6DE7CA8438739

Function 00007FF698825F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698825EF9

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: bc7b475464af9362e7067a64fd02bf72329d954e8ac7a6f195d12b4201e31f20
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: CB117531A1C69181EAB0AF21960117DA2A4FF85BD4FC44571EA4CD7A9ACF3DD5028738

Function 00007FF698836354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698836377

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: aacaa9a51b98092d665e60885f63bd60372dbcdc32b84e77ecc104e9a1d05973
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: 5921C272A08A4286DB75CF2CD64037976A0FB84B94FA44235EA5DC76D9DF3CD8018B14

Function 00007FF6988203BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698820410

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 605d0b1c4d0a26be06999827874ce11b13982f0926c091fc23646865294c3c95
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 1D01C461A5874180EA24DF729A00079A691FF85FE4F8886B1EE5CD3BDACE3CD4038318

Function 00007FF698818E80 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF698819390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6988145F4,00000000,00007FF698811985), ref: 00007FF6988193C9

LoadLibraryExW.KERNEL32(?,00007FF698816476,?,00007FF69881336E), ref: 00007FF698818EA2

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 11a4aaaef8a7a10f6e0ce37232ac144c9e9b59754371ad75d1a790c2d21c933d
Instruction ID: 3ccd58dfc329272d3c581e6429ee4f806cca5795f43bc341236a60fa5ae87708
Opcode Fuzzy Hash: 11a4aaaef8a7a10f6e0ce37232ac144c9e9b59754371ad75d1a790c2d21c933d
Instruction Fuzzy Hash: 8DD0C201F3469642EA64A777BB466399251EFC9BC0FC8D076EE1D43B4ADC3CC0414B04

Function 00007FF69882EB98 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF69882B32A,?,?,?,00007FF698824F11,?,?,?,?,00007FF69882A48A), ref: 00007FF69882EBED

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction ID: cd5213e57450eba3db8863a222401326d2d12d6886c15291b770e6d5d321687e
Opcode Fuzzy Hash: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction Fuzzy Hash: FDF04954B0921341FE7966759A513B41284DF89BC0FC855B4DD0FE6AD3ED2CE482823C

Function 00007FF69882D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF698820C90,?,?,?,00007FF6988222FA,?,?,?,?,?,00007FF698823AE9), ref: 00007FF69882D63A

Memory Dump Source

Source File: 00000008.00000002.2555286436.00007FF698811000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF698810000, based on PE: true

Associated: 00000008.00000002.2555131318.00007FF698810000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555392190.00007FF69883B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF69884E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555527574.00007FF698851000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.2555710877.00007FF698854000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff698810000_Payload.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: 45aab5d7d10a2d4548cbe1b6051fe971a492e062327d5017c5c88db8cac575a3
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: A0F05810B0820B81FE7517B15A0177416A0CF847E0FC807B0EC2EC62C2DE2CB48282B8

Non-executed Functions

Function 00007FFB0BC73890 Relevance: 52.7, APIs: 26, Strings: 4, Instructions: 210windowCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC738DA
GetLastError.KERNEL32 ref: 00007FFB0BC738F0
?PyWin_GetErrorMessageModule@@YAPEAUHINSTANCE__@@K@Z.PYWINTYPES311 ref: 00007FFB0BC73901
FormatMessageW.KERNEL32 ref: 00007FFB0BC73939
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7394C
?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W@Z.PYWINTYPES311 ref: 00007FFB0BC7395F
PyErr_Clear.PYTHON311 ref: 00007FFB0BC7396A
_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC739C8
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC739EA
?PyWinSequence_Tuple@@YAPEAU_object@@PEAU1@PEAK@Z.PYWINTYPES311 ref: 00007FFB0BC73A4D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC73A6F
PyErr_NoMemory.PYTHON311 ref: 00007FFB0BC73A85
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC73BB6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC73BC7
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC73BD2
LocalFree.KERNEL32 ref: 00007FFB0BC73BE2
_Py_Dealloc.PYTHON311 ref: 00007FFB0BC73BF6

Strings

FormatMessageW, xrefs: 00007FFB0BC73945, 00007FFB0BC73B86
Access violation (probably due to missing string inserts), xrefs: 00007FFB0BC73B66
|k:FormatMessageW, xrefs: 00007FFB0BC738D0
kOkkO:FormatMessageW, xrefs: 00007FFB0BC739BE

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_U_object@@$Free$Arg_Err_ErrorMessageParseSizeTuple_Win_$ClearDeallocE__@@Error@@FormatFromLastLocalMemoryModule@@Sequence_Tuple@@freemalloc
String ID: Access violation (probably due to missing string inserts)$FormatMessageW$kOkkO:FormatMessageW$|k:FormatMessageW
API String ID: 3506561143-1739700906
Opcode ID: cd2c7eaa3c1698e6b16ebb909cf0ec4508c83e0367e87baf37edfb231aa0f8e2
Instruction ID: fccfec980c692f8e5462a9a844ab1720f3d7b2a46c05c6453217cd5438d9fd69
Opcode Fuzzy Hash: cd2c7eaa3c1698e6b16ebb909cf0ec4508c83e0367e87baf37edfb231aa0f8e2
Instruction Fuzzy Hash: 26A112B160DB82B6E6748B25E844A6A73A4FBC4B80F549035EA4F82F74DF3DE445D704

Function 00007FFB0BC74330 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 102threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC74353
GetCurrentThread.KERNEL32 ref: 00007FFB0BC7437F
OpenThreadToken.ADVAPI32 ref: 00007FFB0BC74396
GetLastError.KERNEL32 ref: 00007FFB0BC743A0
GetCurrentProcess.KERNEL32 ref: 00007FFB0BC743AD
OpenProcessToken.ADVAPI32 ref: 00007FFB0BC743C0
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC743D3

Strings

LookupAccountSid, xrefs: 00007FFB0BC744D5
GetTokenInformation, xrefs: 00007FFB0BC7445F
OpenThreadToken, xrefs: 00007FFB0BC743F3
:GetDomainName, xrefs: 00007FFB0BC7434C
OpenProcessToken, xrefs: 00007FFB0BC743CC

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken$Arg_ErrorError@@LastParseSizeTuple_U_object@@Win_
String ID: :GetDomainName$GetTokenInformation$LookupAccountSid$OpenProcessToken$OpenThreadToken
API String ID: 3402752388-430469702
Opcode ID: a6a00511a040a61d196d511f99d8e9156c9bc2e48d439ffcc0e1ca2282ee2540
Instruction ID: d50846aeea6dab8a3d347b2ea75737e52e3964da6673d4ed935db40b407008e2
Opcode Fuzzy Hash: a6a00511a040a61d196d511f99d8e9156c9bc2e48d439ffcc0e1ca2282ee2540
Instruction Fuzzy Hash: 4D5130A5A0CA86B6FB709B31F455BAA73A1FBC8B44F808031D54E83A75DF3DD5198B00

Function 00007FFB0BC7CBC0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7CC10
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7CC39
?PyWinObject_AsResourceId@@YAHPEAU_object@@PEAPEA_WH@Z.PYWINTYPES311 ref: 00007FFB0BC7CC52
?PyWinObject_AsResourceId@@YAHPEAU_object@@PEAPEA_WH@Z.PYWINTYPES311 ref: 00007FFB0BC7CC67
?init@PyWinBufferView@@QEAA_NPEAU_object@@_N1@Z.PYWINTYPES311 ref: 00007FFB0BC7CC7F
UpdateResourceW.KERNEL32 ref: 00007FFB0BC7CCAA
?PyWinObject_FreeResourceId@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7CCDA
?PyWinObject_FreeResourceId@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7CCE4
??1PyWinBufferView@@QEAA@XZ.PYWINTYPES311 ref: 00007FFB0BC7CCEF

Strings

UpdateResource, xrefs: 00007FFB0BC7CCC9
OOOO|H:UpdateResource, xrefs: 00007FFB0BC7CC06

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_Resource$Id@@$U_object@@$BufferFreeView@@$?init@Arg_ParseSizeTuple_U_object@@_Update
String ID: OOOO|H:UpdateResource$UpdateResource
API String ID: 395313436-879542628
Opcode ID: 4b2842c7a6b03953d5ae552ea270baff79541a912f05c15798bc206ccb4ba0e1
Instruction ID: 176f44101d007463748c4e41ea417d777c38196037323778c1bd024038a72a78
Opcode Fuzzy Hash: 4b2842c7a6b03953d5ae552ea270baff79541a912f05c15798bc206ccb4ba0e1
Instruction Fuzzy Hash: D9411EA6B18A46E5EB20CF75E4946A93370FB88B48F449532DA4E93E68DF38D504C714

Function 00007FFB0B2518A0 Relevance: 13.9, APIs: 9, Instructions: 425COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON311 ref: 00007FFB0B25190B
PyType_IsSubtype.PYTHON311 ref: 00007FFB0B2519F5
PyType_IsSubtype.PYTHON311 ref: 00007FFB0B251A52
PyUnicode_FromKindAndData.PYTHON311 ref: 00007FFB0B251B2D
PyMem_Free.PYTHON311 ref: 00007FFB0B251B3E
PyMem_Realloc.PYTHON311 ref: 00007FFB0B251CF8

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Mem_$SubtypeType_$DataFreeFromKindMallocReallocUnicode_
String ID:
API String ID: 1742244024-0
Opcode ID: 2d17a493920b6b36c6fa0658f81e569c9b995c639d436fc25a26417b6e17d25f
Instruction ID: 43b2eddb37ea5f13485f8e483b691f88a86e8c8282ef6943c58be63186f1b1db
Opcode Fuzzy Hash: 2d17a493920b6b36c6fa0658f81e569c9b995c639d436fc25a26417b6e17d25f
Instruction Fuzzy Hash: 8202E1F2A0859382E764AB39D454FB92EA1EB44785F54C135DA8FD67B4EE3DE840C700

Function 00007FFB0B253058 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFB0B253074
memset.VCRUNTIME140 ref: 00007FFB0B253098
RtlCaptureContext.KERNEL32 ref: 00007FFB0B2530A1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFB0B2530BB
RtlVirtualUnwind.KERNEL32 ref: 00007FFB0B2530FC
memset.VCRUNTIME140 ref: 00007FFB0B25312F
IsDebuggerPresent.KERNEL32 ref: 00007FFB0B253150
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFB0B253171
UnhandledExceptionFilter.KERNEL32 ref: 00007FFB0B25317C

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: d5821aaf4936ad9aa18e348792a4e6496cc638c229f42c96d8f2983ca85ed40f
Instruction ID: 4a6ddaf661884181e82b34fd5091d1f29745e4adea753d9207227bfe03df5f51
Opcode Fuzzy Hash: d5821aaf4936ad9aa18e348792a4e6496cc638c229f42c96d8f2983ca85ed40f
Instruction Fuzzy Hash: 2C314FB2609B8285EB60DF70E850BEE7764FB94744F448039DA4F87AA4DF38D548C714

Function 00007FFB0A6B1960 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFB0A6B197C
memset.VCRUNTIME140 ref: 00007FFB0A6B19A0
RtlCaptureContext.KERNEL32 ref: 00007FFB0A6B19A9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFB0A6B19C3
RtlVirtualUnwind.KERNEL32 ref: 00007FFB0A6B1A04
memset.VCRUNTIME140 ref: 00007FFB0A6B1A37
IsDebuggerPresent.KERNEL32 ref: 00007FFB0A6B1A58
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFB0A6B1A79
UnhandledExceptionFilter.KERNEL32 ref: 00007FFB0A6B1A84

Memory Dump Source

Source File: 00000008.00000002.2558208231.00007FFB0A6B1000.00000020.00000001.01000000.0000004A.sdmp, Offset: 00007FFB0A6B0000, based on PE: true

Associated: 00000008.00000002.2558120358.00007FFB0A6B0000.00000002.00000001.01000000.0000004A.sdmpDownload File
Associated: 00000008.00000002.2558308893.00007FFB0A6B3000.00000002.00000001.01000000.0000004A.sdmpDownload File
Associated: 00000008.00000002.2558375762.00007FFB0A6B4000.00000004.00000001.01000000.0000004A.sdmpDownload File
Associated: 00000008.00000002.2558453551.00007FFB0A6B5000.00000002.00000001.01000000.0000004A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a6b0000_Payload.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: f8ae4d2eff8d27b3a0b7405f1d7147d7316b9bc7e7709510c05685c771672a79
Instruction ID: da01198b97c81d7afdb0c6758a2a38f832938ff533f67110c67ce0cbd8a31bf2
Opcode Fuzzy Hash: f8ae4d2eff8d27b3a0b7405f1d7147d7316b9bc7e7709510c05685c771672a79
Instruction Fuzzy Hash: E8315EB3618B8199EB609FB0E8507E97378FB85B44F44453AEA4D47B85DF38D688C700

Function 00007FFB0BC81600 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFB0BC8161C
memset.VCRUNTIME140 ref: 00007FFB0BC81640
RtlCaptureContext.KERNEL32 ref: 00007FFB0BC81649
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFB0BC81663
RtlVirtualUnwind.KERNEL32 ref: 00007FFB0BC816A4
memset.VCRUNTIME140 ref: 00007FFB0BC816D7
IsDebuggerPresent.KERNEL32 ref: 00007FFB0BC816F8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFB0BC81719
UnhandledExceptionFilter.KERNEL32 ref: 00007FFB0BC81724

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: a67f1d53b4e1e25c0e1621d1b021f899557ee4f7f4197a41277449f404f34c8d
Instruction ID: 2299cebcc1a55f290831ac7f996cc5e3a5c462f75a6a2e882383f2931aa63818
Opcode Fuzzy Hash: a67f1d53b4e1e25c0e1621d1b021f899557ee4f7f4197a41277449f404f34c8d
Instruction Fuzzy Hash: 8A313EB2608B81A5EB708F70E850BE963A0FB84744F44803ADA4E97AA5DF38D649C714

Function 00007FFB0A8BC750 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFB0A8BC76C
memset.VCRUNTIME140 ref: 00007FFB0A8BC790
RtlCaptureContext.KERNEL32 ref: 00007FFB0A8BC799
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFB0A8BC7B3
RtlVirtualUnwind.KERNEL32 ref: 00007FFB0A8BC7F4
memset.VCRUNTIME140 ref: 00007FFB0A8BC827
IsDebuggerPresent.KERNEL32 ref: 00007FFB0A8BC848
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFB0A8BC865
UnhandledExceptionFilter.KERNEL32 ref: 00007FFB0A8BC870

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 5cd9f12e38eb471c1716659151414c5e2631d962336cac44014d6641cef1d4e0
Instruction ID: 42faea1c5657bdfbe7224726bed66bff7961692e616698562dcbde27558d41d2
Opcode Fuzzy Hash: 5cd9f12e38eb471c1716659151414c5e2631d962336cac44014d6641cef1d4e0
Instruction Fuzzy Hash: 553149B3A19B8196EB648F74E840BED3368FB88744F40443ADA4E47B95DF38C6498710

Function 00007FFB0BC75800 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39threadshutdownCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC75825
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC75840
ExitWindowsEx.USER32 ref: 00007FFB0BC75850
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7585B
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC75878

Strings

|ll:ExitWindows, xrefs: 00007FFB0BC7581E
ExitWindows, xrefs: 00007FFB0BC75871

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Thread$Arg_Error@@ExitParseRestoreSaveSizeTuple_U_object@@Win_Windows
String ID: ExitWindows$|ll:ExitWindows
API String ID: 913167371-1358875516
Opcode ID: 054cf91961bbce031986e76f7ca038ff95775ebb84d303ac6caa72ed634a9e4e
Instruction ID: 3777d0272ce8eb4683a4ddf84bfdcbf8314697d77735a14b2d06bbd6b1f90a6b
Opcode Fuzzy Hash: 054cf91961bbce031986e76f7ca038ff95775ebb84d303ac6caa72ed634a9e4e
Instruction Fuzzy Hash: 510121B5A18A82B2D7689B76FC4446973B1FF88B80B449136EA4F83F74DF3CD1558604

Function 00007FFB0BC7DA60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7DA9E
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7DAB4
mouse_event.USER32 ref: 00007FFB0BC7DAD8
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7DAE1

Strings

iii|ii:mouse_event, xrefs: 00007FFB0BC7DA84

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Thread$Arg_ParseRestoreSaveSizeTuple_mouse_event
String ID: iii|ii:mouse_event
API String ID: 2761499826-1652421241
Opcode ID: 22816a3179dd3a4a42aaff97c7e11ea1dd452cbd7660dd2b431cfa027487a877
Instruction ID: 1179c2da034510b199b82bd6e87053eafdf30f481dbc486d3c27193c4b119a87
Opcode Fuzzy Hash: 22816a3179dd3a4a42aaff97c7e11ea1dd452cbd7660dd2b431cfa027487a877
Instruction Fuzzy Hash: 9C11F8B6B08B81A2DB14DF65E8448A973B1F788B90B504136EA9E83B24CF3DD955CB04

Function 00007FFB0BC7D9C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadkeyboardCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7D9F9
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7DA0F
keybd_event.USER32 ref: 00007FFB0BC7DA2C
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7DA35

Strings

ii|ii:keybd_event, xrefs: 00007FFB0BC7D9E5

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Thread$Arg_ParseRestoreSaveSizeTuple_keybd_event
String ID: ii|ii:keybd_event
API String ID: 2874980141-3699675051
Opcode ID: d5502b3604a16d24cbb88980add09d254316b55df872e8c8be52da0a5f984183
Instruction ID: e8af10bf16187d5a36211f0b3adb93a8bac03822d5e8c2548c9adf9724a68927
Opcode Fuzzy Hash: d5502b3604a16d24cbb88980add09d254316b55df872e8c8be52da0a5f984183
Instruction Fuzzy Hash: 0301CCB661D781A6DB549B21F84486A77B0F7C5B80F446036FA8F83B28DE3CD515CB04

Function 00007FFB0BC7E640 Relevance: 128.0, APIs: 38, Strings: 35, Instructions: 260COMMON

Download Yara Rule

APIs

?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7E676
PyLong_FromUnsignedLong.PYTHON311 ref: 00007FFB0BC7E6BC
PyLong_FromUnsignedLong.PYTHON311 ref: 00007FFB0BC7E6C8
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7E6EB
PyLong_FromUnsignedLong.PYTHON311 ref: 00007FFB0BC7E6F7
PyLong_FromUnsignedLong.PYTHON311 ref: 00007FFB0BC7E703
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7E726
PyLong_FromUnsignedLong.PYTHON311 ref: 00007FFB0BC7E732
PyLong_FromUnsignedLong.PYTHON311 ref: 00007FFB0BC7E73E
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7E761
PyLong_FromLong.PYTHON311 ref: 00007FFB0BC7E76D
PyLong_FromLong.PYTHON311 ref: 00007FFB0BC7E779
PyLong_FromLong.PYTHON311 ref: 00007FFB0BC7E785
PyLong_FromLong.PYTHON311 ref: 00007FFB0BC7E791
PyLong_FromLong.PYTHON311 ref: 00007FFB0BC7E79D
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7E7B7
PyBool_FromLong.PYTHON311 ref: 00007FFB0BC7E7C4
PyBool_FromLong.PYTHON311 ref: 00007FFB0BC7E7D1
PyBool_FromLong.PYTHON311 ref: 00007FFB0BC7E7DE
PyBool_FromLong.PYTHON311 ref: 00007FFB0BC7E7EC
PyLong_FromLong.PYTHON311 ref: 00007FFB0BC7E7FA
PyLong_FromLong.PYTHON311 ref: 00007FFB0BC7E808
PyBool_FromLong.PYTHON311 ref: 00007FFB0BC7E816
PyBool_FromLong.PYTHON311 ref: 00007FFB0BC7E824
PyBool_FromLong.PYTHON311 ref: 00007FFB0BC7E832
PyBool_FromLong.PYTHON311 ref: 00007FFB0BC7E840
PyBool_FromLong.PYTHON311 ref: 00007FFB0BC7E84E
PyBool_FromLong.PYTHON311 ref: 00007FFB0BC7E85C

Strings

BatteryScale, xrefs: 00007FFB0BC7E961
{s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:O, s:N, s:O, s:N, s:N, s:O, s:N, s:N, s:N, s:N, s:N}, xrefs: 00007FFB0BC7EA09
SystemBatteriesPresent, xrefs: 00007FFB0BC7E98F
spare3, xrefs: 00007FFB0BC7E8E8
DefaultLowLatencyWake, xrefs: 00007FFB0BC7E8F2
SoftLidWake, xrefs: 00007FFB0BC7E92F
SystemS2, xrefs: 00007FFB0BC7EB5D
ProcessorThrottle, xrefs: 00007FFB0BC7EA61
PowerButtonPresent, xrefs: 00007FFB0BC7E9FA
{s:N, s:N}, xrefs: 00007FFB0BC7E6E4, 00007FFB0BC7E71F, 00007FFB0BC7E75A
FullWake, xrefs: 00007FFB0BC7EAE8
SystemS4, xrefs: 00007FFB0BC7EB33
RtcWake, xrefs: 00007FFB0BC7E918
SystemS1, xrefs: 00007FFB0BC7EB72
BatteriesAreShortTerm, xrefs: 00007FFB0BC7E978
DiskSpinDown, xrefs: 00007FFB0BC7E9C9
HiberFilePresent, xrefs: 00007FFB0BC7EB03
ThermalControl, xrefs: 00007FFB0BC7EA7C
SleepButtonPresent, xrefs: 00007FFB0BC7E9EF
VideoDimPresent, xrefs: 00007FFB0BC7EACD
SystemS3, xrefs: 00007FFB0BC7EB48
ApmPresent, xrefs: 00007FFB0BC7EAB2
ProcessorMaxThrottle, xrefs: 00007FFB0BC7EA2B
GetPwrCapabilities, xrefs: 00007FFB0BC7E66F
LidPresent, xrefs: 00007FFB0BC7EB87
Granularity, xrefs: 00007FFB0BC7E6DD, 00007FFB0BC7E718, 00007FFB0BC7E753
NNN, xrefs: 00007FFB0BC7E7A6
UpsPresent, xrefs: 00007FFB0BC7EA97
spare2, xrefs: 00007FFB0BC7E9E0
Capacity, xrefs: 00007FFB0BC7E6CE, 00007FFB0BC7E709, 00007FFB0BC7E744
AcOnLineWake, xrefs: 00007FFB0BC7E952
MinDeviceWakeState, xrefs: 00007FFB0BC7E901
FastSystemS4, xrefs: 00007FFB0BC7EA10
SystemS5, xrefs: 00007FFB0BC7EB1E
ProcessorMinThrottle, xrefs: 00007FFB0BC7EA46

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: FromLong$Long_$Bool_$Unsigned$BuildSizeValue_$Error@@U_object@@Win_
String ID: AcOnLineWake$ApmPresent$BatteriesAreShortTerm$BatteryScale$Capacity$DefaultLowLatencyWake$DiskSpinDown$FastSystemS4$FullWake$GetPwrCapabilities$Granularity$HiberFilePresent$LidPresent$MinDeviceWakeState$NNN$PowerButtonPresent$ProcessorMaxThrottle$ProcessorMinThrottle$ProcessorThrottle$RtcWake$SleepButtonPresent$SoftLidWake$SystemBatteriesPresent$SystemS1$SystemS2$SystemS3$SystemS4$SystemS5$ThermalControl$UpsPresent$VideoDimPresent$spare2$spare3${s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:N, s:O, s:N, s:O, s:N, s:N, s:O, s:N, s:N, s:N, s:N, s:N}${s:N, s:N}
API String ID: 632866278-3975806661
Opcode ID: a9da3825a5e984786c761249b21fc8b6badc611c2ecdb21d459db5d0ba23063c
Instruction ID: 5c046ce5fce4fd90769610f8b206665210bab3041a9551801e3f7fb1e5c0d37a
Opcode Fuzzy Hash: a9da3825a5e984786c761249b21fc8b6badc611c2ecdb21d459db5d0ba23063c
Instruction Fuzzy Hash: B7F1D5B6A09B82B9E7608B60F8949A977F4FB49754F005136EA9E43B28DF3CD154C740

Function 00007FFB0BC7D5C0 Relevance: 79.0, APIs: 27, Strings: 18, Instructions: 239threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7D604
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7D62C
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7D648
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7D666
GetFileVersionInfoSizeW.VERSION ref: 00007FFB0BC7D677
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7D683
GetLastError.KERNEL32 ref: 00007FFB0BC7D68E
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7D69D
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7D985
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7D994
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC7D9A2

Strings

GetFileVersionInfo:VerQueryValue, xrefs: 00007FFB0BC7D957
FileVersionLS, xrefs: 00007FFB0BC7D867
GetFileVersionInfo, xrefs: 00007FFB0BC7D6C0, 00007FFB0BC7D70A
FileFlagsMask, xrefs: 00007FFB0BC7D82E
FileDate, xrefs: 00007FFB0BC7D7A9
FileVersionMS, xrefs: 00007FFB0BC7D87A
FileType, xrefs: 00007FFB0BC7D7E9
GetFileVersionInfo:GetFileVersionInfoSize, xrefs: 00007FFB0BC7D696
Signature, xrefs: 00007FFB0BC7D7B8
{u:l,u:l,u:l,u:l,u:l,u:l,u:l,u:l,u:l,u:l,u:l,u:N}, xrefs: 00007FFB0BC7D7C2
OO:GetFileVersionInfo, xrefs: 00007FFB0BC7D5E0
FileFlags, xrefs: 00007FFB0BC7D81B
FileSubtype, xrefs: 00007FFB0BC7D7D0
FileOS, xrefs: 00007FFB0BC7D802
\VarFileInfo\Translation, xrefs: 00007FFB0BC7D89F
StrucVersion, xrefs: 00007FFB0BC7D79F
ProductVersionMS, xrefs: 00007FFB0BC7D854
ProductVersionLS, xrefs: 00007FFB0BC7D841

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_$U_object@@$Eval_FreeSizeThread$Arg_ErrorError@@FileInfoLastParseRestoreSaveTuple_VersionWin_free
String ID: FileDate$FileFlags$FileFlagsMask$FileOS$FileSubtype$FileType$FileVersionLS$FileVersionMS$GetFileVersionInfo$GetFileVersionInfo:GetFileVersionInfoSize$GetFileVersionInfo:VerQueryValue$OO:GetFileVersionInfo$ProductVersionLS$ProductVersionMS$Signature$StrucVersion$\VarFileInfo\Translation${u:l,u:l,u:l,u:l,u:l,u:l,u:l,u:l,u:l,u:l,u:l,u:N}
API String ID: 264991304-493068413
Opcode ID: eea91bef65fe6e4e609431694d5d597aecf300ce98ce6682b239b4fb00a9ba5c
Instruction ID: 6819b73c4dc7ffa0fb50d5c9615f91ad35a06c400a3c361798b51b1f41b65c81
Opcode Fuzzy Hash: eea91bef65fe6e4e609431694d5d597aecf300ce98ce6682b239b4fb00a9ba5c
Instruction Fuzzy Hash: C2C10BB6A08B52A6E7208F75E840AA977B4FB88B54F508136DD5F87B68DF3CE445C700

Function 00007FFB0A8B6EB0 Relevance: 66.7, APIs: 28, Strings: 10, Instructions: 165threadCOMMON

Download Yara Rule

APIs

PyThreadState_Get.PYTHON311 ref: 00007FFB0A8B6EB9
PyInterpreterState_GetID.PYTHON311 ref: 00007FFB0A8B6EC3
PyErr_SetString.PYTHON311 ref: 00007FFB0A8B6F0D
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8B6F39
PyModule_NewObject.PYTHON311 ref: 00007FFB0A8B6F4E
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B6F60
PyModule_GetDict.PYTHON311 ref: 00007FFB0A8B6F6E
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8B6F86
PyDict_SetItemString.PYTHON311 ref: 00007FFB0A8B6FA1
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B6FB3
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B6FC7
PyErr_ExceptionMatches.PYTHON311 ref: 00007FFB0A8B6FF3
PyErr_Clear.PYTHON311 ref: 00007FFB0A8B6FFD
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8B700D
PyDict_SetItemString.PYTHON311 ref: 00007FFB0A8B7028
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B703A
PyErr_ExceptionMatches.PYTHON311 ref: 00007FFB0A8B7055
PyErr_Clear.PYTHON311 ref: 00007FFB0A8B7063
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8B7073
PyDict_SetItemString.PYTHON311 ref: 00007FFB0A8B708E
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B70A0
PyErr_ExceptionMatches.PYTHON311 ref: 00007FFB0A8B70BB
PyErr_Clear.PYTHON311 ref: 00007FFB0A8B70C9
PyObject_GetAttrString.PYTHON311 ref: 00007FFB0A8B70D9
PyDict_SetItemString.PYTHON311 ref: 00007FFB0A8B70FF
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B7110
PyErr_ExceptionMatches.PYTHON311 ref: 00007FFB0A8B7129
PyErr_Clear.PYTHON311 ref: 00007FFB0A8B7137

Strings

Interpreter change detected - this module can only be loaded into one interpreter per process., xrefs: 00007FFB0A8B6F03
__loader__, xrefs: 00007FFB0A8B6F97
parent, xrefs: 00007FFB0A8B7069
submodule_search_locations, xrefs: 00007FFB0A8B70CF
__package__, xrefs: 00007FFB0A8B7084
name, xrefs: 00007FFB0A8B6F20
origin, xrefs: 00007FFB0A8B7003
__file__, xrefs: 00007FFB0A8B701E
loader, xrefs: 00007FFB0A8B6F7C
__path__, xrefs: 00007FFB0A8B70F5

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: String$Err_$Dealloc$AttrObject_$ClearDict_ExceptionItemMatches$Module_State_$DictInterpreterObjectThread
String ID: Interpreter change detected - this module can only be loaded into one interpreter per process.$__file__$__loader__$__package__$__path__$loader$name$origin$parent$submodule_search_locations
API String ID: 3851358283-2188512448
Opcode ID: f5dba2983c46c41de5ca2dd17785b8eb42526ec336d42582ef0723d0fdc52c23
Instruction ID: 41655d5344e75791b88240cddd881e0d09f0c7478d51c72fe247326f2f4e64d5
Opcode Fuzzy Hash: f5dba2983c46c41de5ca2dd17785b8eb42526ec336d42582ef0723d0fdc52c23
Instruction Fuzzy Hash: 937118A3E29B0395EA549B35E854D7963A8AF88F94B080DB5CD4E077E0EF3DF4458300

Function 00007FFB0A8B30F0 Relevance: 52.9, APIs: 25, Strings: 5, Instructions: 381threadCOMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0A8B3137
PyThreadState_Get.PYTHON311 ref: 00007FFB0A8B31C8
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B36B8
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B36EB
_PyThreadState_UncheckedGet.PYTHON311 ref: 00007FFB0A8B36FD

Strings

__reduce_cython__, xrefs: 00007FFB0A8B311D, 00007FFB0A8B31F1
name '%U' is not defined, xrefs: 00007FFB0A8B33B5, 00007FFB0A8B3545
propcache._helpers_c.cached_property.__reduce_cython__, xrefs: 00007FFB0A8B3689
%.200s() takes %.8s %zd positional argument%.1s (%zd given), xrefs: 00007FFB0A8B3124
exactly, xrefs: 00007FFB0A8B3111

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: DeallocState_Thread$Err_FormatUnchecked
String ID: %.200s() takes %.8s %zd positional argument%.1s (%zd given)$__reduce_cython__$exactly$name '%U' is not defined$propcache._helpers_c.cached_property.__reduce_cython__
API String ID: 1016556660-3398767512
Opcode ID: cd8eb314a3a6800e4c736ba1dff36ec106fcf37e2fa5886d7a7996ebefb487a5
Instruction ID: 16188838d2cd2e3cd32a0285b8c3fd938e00856fb9e891a8c1db6bab3e672cde
Opcode Fuzzy Hash: cd8eb314a3a6800e4c736ba1dff36ec106fcf37e2fa5886d7a7996ebefb487a5
Instruction Fuzzy Hash: C8024EB7A29B4691EA559B21E844E7973ACFB48F90F1448B5CE4D0BBE0EF3CE4459300

Function 00007FFB0A8B1B10 Relevance: 52.9, APIs: 25, Strings: 5, Instructions: 381threadCOMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0A8B1B57
PyThreadState_Get.PYTHON311 ref: 00007FFB0A8B1BE8
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B20D8
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B210B
_PyThreadState_UncheckedGet.PYTHON311 ref: 00007FFB0A8B211D

Strings

__reduce_cython__, xrefs: 00007FFB0A8B1B3D, 00007FFB0A8B1C11
name '%U' is not defined, xrefs: 00007FFB0A8B1DD5, 00007FFB0A8B1F65
propcache._helpers_c.under_cached_property.__reduce_cython__, xrefs: 00007FFB0A8B20A9
%.200s() takes %.8s %zd positional argument%.1s (%zd given), xrefs: 00007FFB0A8B1B44
exactly, xrefs: 00007FFB0A8B1B31

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: DeallocState_Thread$Err_FormatUnchecked
String ID: %.200s() takes %.8s %zd positional argument%.1s (%zd given)$__reduce_cython__$exactly$name '%U' is not defined$propcache._helpers_c.under_cached_property.__reduce_cython__
API String ID: 1016556660-3317749030
Opcode ID: c66982b194790f9549ed3e348b3b7561f840e769e65071b3b2f4233eb90942bd
Instruction ID: d168336e415c4a177c262369f20585f6c27631bd591a3bbd63453e198f211f84
Opcode Fuzzy Hash: c66982b194790f9549ed3e348b3b7561f840e769e65071b3b2f4233eb90942bd
Instruction Fuzzy Hash: 46022EA7A29B4681EA549B25E458E7863ACFB48FD4F1449B5CE4D0B7E0EF3DE445C300

Function 00007FFB0BC77290 Relevance: 50.9, APIs: 22, Strings: 7, Instructions: 158COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC772AD
PyTuple_Size.PYTHON311 ref: 00007FFB0BC772FC
PyTuple_Size.PYTHON311 ref: 00007FFB0BC7730D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC7732C
PyErr_Format.PYTHON311 ref: 00007FFB0BC7734E

Strings

SetSysColors: Arguments must be equal length tuples of ints, xrefs: 00007FFB0BC774FE
Color element must be an int, xrefs: 00007FFB0BC7747F
SetSysColors, xrefs: 00007FFB0BC7746A
SetSysColors: Unable to allocate array of %d COLORREF's, xrefs: 00007FFB0BC7738A
RGB value must be an int, xrefs: 00007FFB0BC7749E
OO:SetSysColors, xrefs: 00007FFB0BC7729E
SetSysColors: Unable to allocate array of %d ints, xrefs: 00007FFB0BC77341

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: SizeTuple_$Arg_Err_FormatParsemalloc
String ID: Color element must be an int$OO:SetSysColors$RGB value must be an int$SetSysColors$SetSysColors: Arguments must be equal length tuples of ints$SetSysColors: Unable to allocate array of %d COLORREF's$SetSysColors: Unable to allocate array of %d ints
API String ID: 1384626555-50870979
Opcode ID: 43adaa4a97de99552482513eb6e8d56781b9e42b7160d9f0b5610fc59cb125b6
Instruction ID: 749f28211ef42302235ead994ae17799259f39f714c9da08729b60570fdb5465
Opcode Fuzzy Hash: 43adaa4a97de99552482513eb6e8d56781b9e42b7160d9f0b5610fc59cb125b6
Instruction Fuzzy Hash: 43712EA5B08A86B2EA209B35F44496A77A0FBC4F84F549136EE4F83F74DE3CE4458704

Function 00007FFB0A8B3D20 Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 288threadCOMMON

Download Yara Rule

APIs

PyThreadState_Get.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B3CEE), ref: 00007FFB0A8B3D8A
PyLong_FromLong.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B3CEE), ref: 00007FFB0A8B3DEE
PySequence_Contains.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B3CEE), ref: 00007FFB0A8B3E1D
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B3CEE), ref: 00007FFB0A8B3EBC
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B3CEE), ref: 00007FFB0A8B4142
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B3CEE), ref: 00007FFB0A8B4154
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B3CEE), ref: 00007FFB0A8B4169
_PyThreadState_UncheckedGet.PYTHON311 ref: 00007FFB0A8B419F

Strings

__pyx_unpickle_under_cached_property, xrefs: 00007FFB0A8B3DB5
tuple, xrefs: 00007FFB0A8B40D8
propcache._helpers_c.__pyx_unpickle_under_cached_property, xrefs: 00007FFB0A8B4122
Expected %s, got %.200s, xrefs: 00007FFB0A8B40E3

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dealloc$State_Thread$ContainsFromLongLong_Sequence_Unchecked
String ID: Expected %s, got %.200s$__pyx_unpickle_under_cached_property$propcache._helpers_c.__pyx_unpickle_under_cached_property$tuple
API String ID: 64637491-4227654775
Opcode ID: 6764b4f74c2ef8bba3c2818c786a62a615d429582b8041581ea913929e909a92
Instruction ID: 31bb08915da0685620bc534ce77ce81fa17b46f804a9293b7625b06ee8a6ad2d
Opcode Fuzzy Hash: 6764b4f74c2ef8bba3c2818c786a62a615d429582b8041581ea913929e909a92
Instruction Fuzzy Hash: 6FD14BA7A29B4681EA549B32E845E7973A8FB54FD4F0448B1CE4E1BBE1DF3CE4458300

Function 00007FFB0A8B4980 Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 288threadCOMMON

Download Yara Rule

APIs

PyThreadState_Get.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B494E), ref: 00007FFB0A8B49EA
PyLong_FromLong.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B494E), ref: 00007FFB0A8B4A4E
PySequence_Contains.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B494E), ref: 00007FFB0A8B4A7D
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B494E), ref: 00007FFB0A8B4B1C
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B494E), ref: 00007FFB0A8B4DA2
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B494E), ref: 00007FFB0A8B4DB4
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B494E), ref: 00007FFB0A8B4DC9
_PyThreadState_UncheckedGet.PYTHON311 ref: 00007FFB0A8B4DFF

Strings

tuple, xrefs: 00007FFB0A8B4D38
propcache._helpers_c.__pyx_unpickle_cached_property, xrefs: 00007FFB0A8B4D82
Expected %s, got %.200s, xrefs: 00007FFB0A8B4D43
__pyx_unpickle_cached_property, xrefs: 00007FFB0A8B4A15

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dealloc$State_Thread$ContainsFromLongLong_Sequence_Unchecked
String ID: Expected %s, got %.200s$__pyx_unpickle_cached_property$propcache._helpers_c.__pyx_unpickle_cached_property$tuple
API String ID: 64637491-855366412
Opcode ID: 2696aaf8f124e89b793c5c54ad39010e47d212bd9087ea681534cf9b7bccee7f
Instruction ID: 468c9923001ead9fbb60c9c38740f0d6eb7d3fe3f76945eead59ef818e849f9c
Opcode Fuzzy Hash: 2696aaf8f124e89b793c5c54ad39010e47d212bd9087ea681534cf9b7bccee7f
Instruction Fuzzy Hash: A7D148A7A29B4281EA549B32E855E7977A8BF44FD4F0848B1CE4E177E2DF3CE4458300

Function 00007FFB0BC75DE0 Relevance: 45.6, APIs: 24, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC75E5E
PyLong_AsLong.PYTHON311 ref: 00007FFB0BC75E7C
PyErr_Occurred.PYTHON311 ref: 00007FFB0BC75E89
PyErr_Clear.PYTHON311 ref: 00007FFB0BC75E94
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC75EAD
PyErr_Clear.PYTHON311 ref: 00007FFB0BC75EB7
PyErr_SetString.PYTHON311 ref: 00007FFB0BC75ECE

Strings

Default value must be a string or int, xrefs: 00007FFB0BC75EC4
OOO|O, xrefs: 00007FFB0BC75E4A

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Err_$Clear$Arg_LongLong_Object_OccurredParseSizeStringTuple_U_object@@
String ID: Default value must be a string or int$OOO|O
API String ID: 2311020223-3533590036
Opcode ID: 9a6bcbe7eebaced4733d460f76e8fd717a191e78e2f7ec765b577fed8489d76a
Instruction ID: 56d05fe9ee566fe333e847ef31d325e08312a418c4e8d1e51102c0b2ead98396
Opcode Fuzzy Hash: 9a6bcbe7eebaced4733d460f76e8fd717a191e78e2f7ec765b577fed8489d76a
Instruction Fuzzy Hash: 7A71EFB2618A82B2D7609B31E44496967A0FBC8B84F509036EA8F83F78DF3CD544C744

Function 00007FFB0A8B2CC0 Relevance: 44.0, APIs: 18, Strings: 7, Instructions: 254threadCOMMON

Download Yara Rule

APIs

PyThreadState_Get.PYTHON311 ref: 00007FFB0A8B2D09
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B2DCD

Part of subcall function 00007FFB0A8B8D20: PyCode_NewEmpty.PYTHON311 ref: 00007FFB0A8B8D49
Part of subcall function 00007FFB0A8B8D20: PyFrame_New.PYTHON311 ref: 00007FFB0A8B8D6E

_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B3072
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B3086
_PyThreadState_UncheckedGet.PYTHON311 ref: 00007FFB0A8B30BC

Strings

'NoneType' object has no attribute '%.30s', xrefs: 00007FFB0A8B2EA5
propcache._helpers_c.cached_property.__get__, xrefs: 00007FFB0A8B303D
__get__, xrefs: 00007FFB0A8B2D2E
dict, xrefs: 00007FFB0A8B2E47
'NoneType' object is not subscriptable, xrefs: 00007FFB0A8B2FF8
Expected %s, got %.200s, xrefs: 00007FFB0A8B2E52
get, xrefs: 00007FFB0A8B2E9E

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dealloc$State_Thread$Code_EmptyFrame_Unchecked
String ID: 'NoneType' object has no attribute '%.30s'$'NoneType' object is not subscriptable$Expected %s, got %.200s$__get__$dict$get$propcache._helpers_c.cached_property.__get__
API String ID: 1766239249-569985297
Opcode ID: 98d851130af4b27fce9a5faf72e18f7e344622c8820983dbee26684215ac3b75
Instruction ID: 54df7b794af7c07c7d1df0144b34188b31b2a59730b74915075f26f53c1559a2
Opcode Fuzzy Hash: 98d851130af4b27fce9a5faf72e18f7e344622c8820983dbee26684215ac3b75
Instruction Fuzzy Hash: D3C15EA3A29B4685EB549F32E844EB967A8FF48B84F0448B1DE4D17BE1DF3DE4458700

Function 00007FFB0A8B1740 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 231threadCOMMON

Download Yara Rule

APIs

PyThreadState_Get.PYTHON311 ref: 00007FFB0A8B1789
PyObject_GetAttr.PYTHON311 ref: 00007FFB0A8B1825
PyErr_Format.PYTHON311 ref: 00007FFB0A8B1878
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B18A0

Part of subcall function 00007FFB0A8B8D20: PyCode_NewEmpty.PYTHON311 ref: 00007FFB0A8B8D49
Part of subcall function 00007FFB0A8B8D20: PyFrame_New.PYTHON311 ref: 00007FFB0A8B8D6E

PyErr_Format.PYTHON311 ref: 00007FFB0A8B18CB
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B1A8E
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B1AA2
_PyThreadState_UncheckedGet.PYTHON311 ref: 00007FFB0A8B1AD8

Strings

'NoneType' object has no attribute '%.30s', xrefs: 00007FFB0A8B18C1
__get__, xrefs: 00007FFB0A8B17AE
dict, xrefs: 00007FFB0A8B1863
'NoneType' object is not subscriptable, xrefs: 00007FFB0A8B1A14
Expected %s, got %.200s, xrefs: 00007FFB0A8B186E
get, xrefs: 00007FFB0A8B18BA
propcache._helpers_c.under_cached_property.__get__, xrefs: 00007FFB0A8B1A59

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dealloc$Err_FormatState_Thread$AttrCode_EmptyFrame_Object_Unchecked
String ID: 'NoneType' object has no attribute '%.30s'$'NoneType' object is not subscriptable$Expected %s, got %.200s$__get__$dict$get$propcache._helpers_c.under_cached_property.__get__
API String ID: 2447058268-615489221
Opcode ID: 10b174f902eb57c0613c2ec4264e656b5075313b9cc917f5e90567c8ec4d73b6
Instruction ID: 15a4cb518990cd61a6af4968ce99e451908192941999bf561483498ab525038e
Opcode Fuzzy Hash: 10b174f902eb57c0613c2ec4264e656b5075313b9cc917f5e90567c8ec4d73b6
Instruction Fuzzy Hash: 0AB13BB7A28B8295EA548F31E458E7963A8FB45B84F4459B6CE4E0B7E0DF3CE445C340

Function 00007FFB0A8B9B20 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 201COMMON

Download Yara Rule

APIs

_PyType_Lookup.PYTHON311(propcache._helpers_c,00000001,00000001,00007FFB0A8B779B), ref: 00007FFB0A8B9B5C
_PyType_Lookup.PYTHON311 ref: 00007FFB0A8B9B7F
_PyType_Lookup.PYTHON311 ref: 00007FFB0A8B9BA3
PyObject_GetAttr.PYTHON311 ref: 00007FFB0A8B9BDB
_PyType_Lookup.PYTHON311 ref: 00007FFB0A8B9C0B
PyObject_GetAttr.PYTHON311 ref: 00007FFB0A8B9C42
PyDict_SetItem.PYTHON311 ref: 00007FFB0A8B9CB1
PyDict_DelItem.PYTHON311 ref: 00007FFB0A8B9CD0
PyErr_Occurred.PYTHON311 ref: 00007FFB0A8B9CE0
PyErr_Format.PYTHON311 ref: 00007FFB0A8B9D00
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B9D19
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B9D2E
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B9D43
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B9D57
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B9D6B
PyErr_Occurred.PYTHON311 ref: 00007FFB0A8B9D99
PyErr_Clear.PYTHON311 ref: 00007FFB0A8B9DC6
PyDict_SetItem.PYTHON311 ref: 00007FFB0A8B9E22
PyDict_DelItem.PYTHON311 ref: 00007FFB0A8B9E45
PyType_Modified.PYTHON311 ref: 00007FFB0A8B9E58
PyErr_Occurred.PYTHON311 ref: 00007FFB0A8B9E6C
PyType_Modified.PYTHON311 ref: 00007FFB0A8B9E7E

Strings

propcache._helpers_c, xrefs: 00007FFB0A8B9B32
Unable to initialize pickling for %.200s, xrefs: 00007FFB0A8B9CF2

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Type_$DeallocErr_$Dict_ItemLookup$Occurred$AttrModifiedObject_$ClearFormat
String ID: Unable to initialize pickling for %.200s$propcache._helpers_c
API String ID: 3003332478-184679933
Opcode ID: 40ca9b4b3eba54552c3f407c1da3cbcbd906bb43862279d05fe89f6f998f064b
Instruction ID: c98fa5f6aab7563001b8f68d87845ff974cb83c530f653bbd6d9c7c77aa0a76a
Opcode Fuzzy Hash: 40ca9b4b3eba54552c3f407c1da3cbcbd906bb43862279d05fe89f6f998f064b
Instruction Fuzzy Hash: F0910DA7A29B4281EA559B36D854DB567A8BF48FD4F0858B5CE1E037E5EF3CF4848300

Function 00007FFB0BC765D0 Relevance: 42.1, APIs: 20, Strings: 4, Instructions: 106threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC765E5
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC76606
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7661E
GetShortPathNameW.KERNEL32 ref: 00007FFB0BC76631
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7663C
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7664F
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7665A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC7667F
PyErr_NoMemory.PYTHON311 ref: 00007FFB0BC7668D
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC76698

Strings

GetShortPathNameW, xrefs: 00007FFB0BC76648, 00007FFB0BC766D3, 00007FFB0BC766EF
O:GetShortPathName, xrefs: 00007FFB0BC765DE
Short path name changed between calls, xrefs: 00007FFB0BC766E6
(izs), xrefs: 00007FFB0BC766F6

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_$Eval_FreeThreadU_object@@$Arg_Err_Error@@MemoryNameParsePathRestoreSaveShortSizeTuple_Win_malloc
String ID: (izs)$GetShortPathNameW$O:GetShortPathName$Short path name changed between calls
API String ID: 4213042057-3303738624
Opcode ID: 394ddf047c1c18730529f427bc936b22a34f26415a84ad1215540f35bfd1ebac
Instruction ID: 66e3efa8ef07d95b52d5ac428bbf37c263f2ac72f7426b6c565a6254c979f4c9
Opcode Fuzzy Hash: 394ddf047c1c18730529f427bc936b22a34f26415a84ad1215540f35bfd1ebac
Instruction Fuzzy Hash: BD411DA5A08A82B2EA309B71E81493963A0FFC4F91B449032DD4F87F78DE3CE4458704

Function 00007FFB0BC7B7E0 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 126COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7B849
PyLong_AsLong.PYTHON311 ref: 00007FFB0BC7B866
PyErr_Occurred.PYTHON311 ref: 00007FFB0BC7B873
PyErr_Clear.PYTHON311 ref: 00007FFB0BC7B87E
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7B895
PyErr_Clear.PYTHON311 ref: 00007FFB0BC7B89F
PyErr_SetString.PYTHON311 ref: 00007FFB0BC7B8B6

Strings

Write[Private]ProfileString, xrefs: 00007FFB0BC7B96D
OOO|O:WriteProfileVal, xrefs: 00007FFB0BC7B837
Value must be a string or int, xrefs: 00007FFB0BC7B8AC

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Err_$Clear$Arg_LongLong_Object_OccurredParseSizeStringTuple_U_object@@
String ID: OOO|O:WriteProfileVal$Value must be a string or int$Write[Private]ProfileString
API String ID: 2311020223-3239610536
Opcode ID: e863fc016b8bf5a942b476d35719c4e4170493775074f9a3bb936f34938dbbcc
Instruction ID: ed7df04c61bdc086e8d43862cf9f1cb3a8a58186a45886c19388e67da1ba51b0
Opcode Fuzzy Hash: e863fc016b8bf5a942b476d35719c4e4170493775074f9a3bb936f34938dbbcc
Instruction Fuzzy Hash: 6A51FBA2B08A52B5FB209B71E454AAD23B4FB88B84B409036DD5F93E64DF38E409C354

Function 00007FFB0A8BB640 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 240threadCOMMON

Download Yara Rule

APIs

_PyThreadState_UncheckedGet.PYTHON311 ref: 00007FFB0A8BB65C
PyUnicode_FromFormat.PYTHON311 ref: 00007FFB0A8BB718
PyUnicode_AsUTF8.PYTHON311 ref: 00007FFB0A8BB729
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BB73D
PyCode_NewEmpty.PYTHON311 ref: 00007FFB0A8BB753
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BB765
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BB77F
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BB793
PyCode_NewEmpty.PYTHON311 ref: 00007FFB0A8BB7BF
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BB7ED
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BB802
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BB816
PyMem_Malloc.PYTHON311 ref: 00007FFB0A8BB848
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BB8B9
PyMem_Realloc.PYTHON311 ref: 00007FFB0A8BB8DB
PyFrame_New.PYTHON311 ref: 00007FFB0A8BB95B
PyTraceBack_Here.PYTHON311 ref: 00007FFB0A8BB970
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BB984
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BB998

Strings

GenericAlias, xrefs: 00007FFB0A8BB64C
C:\Users\RUNNER~1\AppData\Local\Temp\.tmp-propcache-pep517-ita1dcsm\src\src\propcache\_helpers_c.c, xrefs: 00007FFB0A8BB70A
%s (%s:%d), xrefs: 00007FFB0A8BB711

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dealloc$Code_EmptyMem_Unicode_$Back_FormatFrame_FromHereMallocReallocState_ThreadTraceUnchecked
String ID: %s (%s:%d)$C:\Users\RUNNER~1\AppData\Local\Temp\.tmp-propcache-pep517-ita1dcsm\src\src\propcache\_helpers_c.c$GenericAlias
API String ID: 1426107518-3689565550
Opcode ID: d38d2ee086f91e584ec0cb990a1c33cf428ea871e9c12b74d0bde7789ea75da1
Instruction ID: a2612b3b27e2b4944e77a284804ed91674e733c7761bc4ccb37893b2e3d7a607
Opcode Fuzzy Hash: d38d2ee086f91e584ec0cb990a1c33cf428ea871e9c12b74d0bde7789ea75da1
Instruction Fuzzy Hash: ACA12AB3A29B4686EA649B25E948E39B3ACFF05BD0F044974CA4D077D4EF3CE4558740

Function 00007FFB0A8B4E30 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 265threadCOMMON

Download Yara Rule

APIs

PyThreadState_Get.PYTHON311(?,?,?,?,?,?,?,?,?,?,00000000,00007FFB0A8B3957), ref: 00007FFB0A8B4E5F
PyErr_SetString.PYTHON311(?,?,?,?,?,?,?,?,?,?,00000000,00007FFB0A8B3957), ref: 00007FFB0A8B4EDF
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,00000000,00007FFB0A8B3957), ref: 00007FFB0A8B4F2D
PyErr_SetString.PYTHON311(?,?,?,?,?,?,?,?,?,?,00000000,00007FFB0A8B3957), ref: 00007FFB0A8B4F51

Part of subcall function 00007FFB0A8B8D20: PyCode_NewEmpty.PYTHON311 ref: 00007FFB0A8B8D49
Part of subcall function 00007FFB0A8B8D20: PyFrame_New.PYTHON311 ref: 00007FFB0A8B8D6E

_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,00000000,00007FFB0A8B3957), ref: 00007FFB0A8B5226
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,00000000,00007FFB0A8B3957), ref: 00007FFB0A8B5235
_PyThreadState_UncheckedGet.PYTHON311(?,?,?,?,?,?,?,?,?,?,00000000,00007FFB0A8B3957), ref: 00007FFB0A8B5269

Strings

__pyx_unpickle_cached_property__set_state, xrefs: 00007FFB0A8B4E84
'NoneType' object is not subscriptable, xrefs: 00007FFB0A8B4ED5, 00007FFB0A8B4F47, 00007FFB0A8B5109
propcache._helpers_c.__pyx_unpickle_cached_property__set_state, xrefs: 00007FFB0A8B520A
object of type 'NoneType' has no len(), xrefs: 00007FFB0A8B4FBC

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dealloc$Err_State_StringThread$Code_EmptyFrame_Unchecked
String ID: 'NoneType' object is not subscriptable$__pyx_unpickle_cached_property__set_state$object of type 'NoneType' has no len()$propcache._helpers_c.__pyx_unpickle_cached_property__set_state
API String ID: 1917079393-718126327
Opcode ID: d16050cfe1ce4f9107850716a6451fb4041efaf7b12d1ca02841303c6570b3b0
Instruction ID: d75582801fcbde1dd6f0c582e0a4c8957b39d7624a20e98615e48574b5cf368c
Opcode Fuzzy Hash: d16050cfe1ce4f9107850716a6451fb4041efaf7b12d1ca02841303c6570b3b0
Instruction Fuzzy Hash: 1AC14EA7E29B4285FB588B35D840E7823A8FB48BA0F0858B1CE5E177E5DF3DE4458340

Function 00007FFB0A8B41D0 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 265threadCOMMON

Download Yara Rule

APIs

PyThreadState_Get.PYTHON311(?,?,?,?,?,?,?,?,?,?,00000000,00007FFB0A8B2377), ref: 00007FFB0A8B41FF
PyErr_SetString.PYTHON311(?,?,?,?,?,?,?,?,?,?,00000000,00007FFB0A8B2377), ref: 00007FFB0A8B427F
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,00000000,00007FFB0A8B2377), ref: 00007FFB0A8B42CD
PyErr_SetString.PYTHON311(?,?,?,?,?,?,?,?,?,?,00000000,00007FFB0A8B2377), ref: 00007FFB0A8B42F1

Part of subcall function 00007FFB0A8B8D20: PyCode_NewEmpty.PYTHON311 ref: 00007FFB0A8B8D49
Part of subcall function 00007FFB0A8B8D20: PyFrame_New.PYTHON311 ref: 00007FFB0A8B8D6E

_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,00000000,00007FFB0A8B2377), ref: 00007FFB0A8B45C6
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,00000000,00007FFB0A8B2377), ref: 00007FFB0A8B45D5
_PyThreadState_UncheckedGet.PYTHON311(?,?,?,?,?,?,?,?,?,?,00000000,00007FFB0A8B2377), ref: 00007FFB0A8B4609

Strings

propcache._helpers_c.__pyx_unpickle_under_cached_property__set_state, xrefs: 00007FFB0A8B45AA
__pyx_unpickle_under_cached_property__set_state, xrefs: 00007FFB0A8B4224
'NoneType' object is not subscriptable, xrefs: 00007FFB0A8B4275, 00007FFB0A8B42E7, 00007FFB0A8B44A9
object of type 'NoneType' has no len(), xrefs: 00007FFB0A8B435C

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dealloc$Err_State_StringThread$Code_EmptyFrame_Unchecked
String ID: 'NoneType' object is not subscriptable$__pyx_unpickle_under_cached_property__set_state$object of type 'NoneType' has no len()$propcache._helpers_c.__pyx_unpickle_under_cached_property__set_state
API String ID: 1917079393-1105465682
Opcode ID: ca0487b2d45c6b1520967c6b37b298b9cf494e4cd5a40d9508a1dcc1d57f071f
Instruction ID: 295bf2af75463a746ddd1abed04abe43d8a56370ab85a40e08e4126818df1551
Opcode Fuzzy Hash: ca0487b2d45c6b1520967c6b37b298b9cf494e4cd5a40d9508a1dcc1d57f071f
Instruction Fuzzy Hash: 0BC15EA7E28B4285FB548B35E841E7823A9FF48B90F0858B1CE5E177D6DE3DE8458340

Function 00007FFB0BC7D260 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 128threadCOMMON

Download Yara Rule

APIs

PyThreadState_Swap.PYTHON311 ref: 00007FFB0BC7D28A
PyThreadState_Swap.PYTHON311 ref: 00007FFB0BC7D296
?PyWinThreadState_Ensure@@YAHXZ.PYWINTYPES311 ref: 00007FFB0BC7D2A8
?PyWinInterpreterLock_Acquire@@YAXXZ.PYWINTYPES311 ref: 00007FFB0BC7D2B4
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7D309
_Py_Dealloc.PYTHON311 ref: 00007FFB0BC7D320
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7D33A
_Py_Dealloc.PYTHON311 ref: 00007FFB0BC7D351
PyObject_CallObject.PYTHON311 ref: 00007FFB0BC7D35D
_Py_Dealloc.PYTHON311 ref: 00007FFB0BC7D36F
PyLong_AsLong.PYTHON311 ref: 00007FFB0BC7D391
PyObject_IsSubclass.PYTHON311 ref: 00007FFB0BC7D3A5
PySequence_Check.PYTHON311 ref: 00007FFB0BC7D3C5
PySequence_GetItem.PYTHON311 ref: 00007FFB0BC7D3D4
PySequence_GetItem.PYTHON311 ref: 00007FFB0BC7D3E5
_Py_Dealloc.PYTHON311 ref: 00007FFB0BC7D404
?PyWinInterpreterLock_Release@@YAXXZ.PYWINTYPES311 ref: 00007FFB0BC7D40F
?PyWinThreadState_Free@@YAXXZ.PYWINTYPES311 ref: 00007FFB0BC7D419

Strings

llOlO, xrefs: 00007FFB0BC7D302
i(OO), xrefs: 00007FFB0BC7D330

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: DeallocState_Thread$Sequence_$BuildInterpreterItemLock_Object_SizeSwapValue_$Acquire@@CallCheckEnsure@@Free@@LongLong_ObjectRelease@@Subclass
String ID: i(OO)$llOlO
API String ID: 1289455058-1388649773
Opcode ID: d4863e31f0a5d767b89a5c48eab7b1581d4f1377ea47436e2d14884fc1a5e902
Instruction ID: 699950890dd68a4e1ed1865781f80b3df576c7470998432676367c2286f9de60
Opcode Fuzzy Hash: d4863e31f0a5d767b89a5c48eab7b1581d4f1377ea47436e2d14884fc1a5e902
Instruction Fuzzy Hash: AC51FFE5A08A82B2EA649F36E85497963A4FF85F94F08D035DD4F87B74DE3CE4458304

Function 00007FFB0A8B28B0 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 244threadCOMMON

Download Yara Rule

APIs

PyThreadState_Get.PYTHON311 ref: 00007FFB0A8B2908
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B2989
_PyThreadState_UncheckedGet.PYTHON311 ref: 00007FFB0A8B29C9
PyObject_RichCompare.PYTHON311 ref: 00007FFB0A8B29FD
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B2A49
PyTuple_New.PYTHON311 ref: 00007FFB0A8B2A5C
PyObject_Repr.PYTHON311 ref: 00007FFB0A8B2AA5
PyObject_Format.PYTHON311 ref: 00007FFB0A8B2ACA
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B2ADC
PyObject_Repr.PYTHON311 ref: 00007FFB0A8B2B31
PyObject_Format.PYTHON311 ref: 00007FFB0A8B2B56
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B2B68
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B2BE9
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B2C42
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B2C5B
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B2C98

Strings

__set_name__, xrefs: 00007FFB0A8B292D
propcache._helpers_c.cached_property.__set_name__, xrefs: 00007FFB0A8B2CA1

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dealloc$Object_$FormatReprState_Thread$CompareRichTuple_Unchecked
String ID: __set_name__$propcache._helpers_c.cached_property.__set_name__
API String ID: 3979147398-3398048960
Opcode ID: 260c34f09e521a679db318358b86356d43a726b99d83356dcf80f919a7462012
Instruction ID: d2fa11a7fe3602efa9ffe71b97ac5ca24587345773a0d2e496cc7d220fde2c46
Opcode Fuzzy Hash: 260c34f09e521a679db318358b86356d43a726b99d83356dcf80f919a7462012
Instruction Fuzzy Hash: 10B139B7A28B4285EB559B22E854EB863A8FB45FD4F1448B5CE4E477E4EF3DE4418300

Function 00007FFB0BC7DC20 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7DC48
SetConsoleCtrlHandler.KERNEL32 ref: 00007FFB0BC7DC6A
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7DC7D
PyCallable_Check.PYTHON311 ref: 00007FFB0BC7DCAE
PyErr_Format.PYTHON311 ref: 00007FFB0BC7DCD6

Strings

SetConsoleCtrlHandler, xrefs: 00007FFB0BC7DC76
The object has not been registered, xrefs: 00007FFB0BC7DE05
First argument must be callable (got %s), xrefs: 00007FFB0BC7DCBD
O|i:SetConsoleCtrlHandler, xrefs: 00007FFB0BC7DC37

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_Callable_CheckConsoleCtrlErr_Error@@FormatHandlerParseSizeTuple_U_object@@Win_
String ID: First argument must be callable (got %s)$O|i:SetConsoleCtrlHandler$SetConsoleCtrlHandler$The object has not been registered
API String ID: 3224033357-283551758
Opcode ID: 38140e668c642e0f2f0b1a6d97589fd47e19c201eef5f5911368aa44df25d4cc
Instruction ID: e010d8819bbf96aba718cf6bf7735ecd668f4cbe0b6211e940363f1be99c4e7a
Opcode Fuzzy Hash: 38140e668c642e0f2f0b1a6d97589fd47e19c201eef5f5911368aa44df25d4cc
Instruction Fuzzy Hash: 3C513EE2A08A42B1FA618F75E84497563A0FF94B95F04D036DA0FC2A74EE7CE4858740

Function 00007FFB0BC76780 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 95threadCOMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0BC767CC
_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC767E8
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC76806
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC76814
GetLongPathNameW.KERNEL32 ref: 00007FFB0BC7682D
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC76839
?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W@Z.PYWINTYPES311 ref: 00007FFB0BC76852
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC768C0
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC768D4

Strings

GetLongPathNameW, xrefs: 00007FFB0BC767B4, 00007FFB0BC768CD
O:GetLongPathNameW, xrefs: 00007FFB0BC767DE
%s is not available on this platform, xrefs: 00007FFB0BC767BB

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_U_object@@$Eval_Thread$Arg_Err_Error@@FormatFreeFromLongNameParsePathRestoreSaveSizeTuple_Win_
String ID: %s is not available on this platform$GetLongPathNameW$O:GetLongPathNameW
API String ID: 1941301505-4031329991
Opcode ID: 3a23fd03f17a4ae211f916bdfde1ff0f26d8d0c51a782232e23c887560dc4ac5
Instruction ID: f61c9ebbb6cf50184e8fef2461b80b678ea8544ec6725e1ed6eb16c1311b7634
Opcode Fuzzy Hash: 3a23fd03f17a4ae211f916bdfde1ff0f26d8d0c51a782232e23c887560dc4ac5
Instruction Fuzzy Hash: 5F4128A1A18A82B5EA709B31E844A7963A0FF88F90F04D131DD5FC7B74DE3CE4058750

Function 00007FFB0A8B8A40 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 204COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON311(?,GenericAlias,00000000,?,00000000,?,00007FFB0A8B1311), ref: 00007FFB0A8B8AAE
_Py_Dealloc.PYTHON311(?,GenericAlias,00000000,?,00000000,?,00007FFB0A8B1311), ref: 00007FFB0A8B8AC7
PyDict_Next.PYTHON311(?,GenericAlias,00000000,?,00000000,?,00007FFB0A8B1311), ref: 00007FFB0A8B8B09
PyUnicode_Compare.PYTHON311 ref: 00007FFB0A8B8B90
PyErr_Occurred.PYTHON311 ref: 00007FFB0A8B8B9C
PyUnicode_Compare.PYTHON311 ref: 00007FFB0A8B8C38
PyErr_Occurred.PYTHON311 ref: 00007FFB0A8B8C44
PyErr_Format.PYTHON311 ref: 00007FFB0A8B8C7E
PyErr_Format.PYTHON311 ref: 00007FFB0A8B8C9B
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B8CB0
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B8CC5
_Py_Dealloc.PYTHON311(?,GenericAlias,00000000,?,00000000,?,00007FFB0A8B1311), ref: 00007FFB0A8B8CE5
_Py_Dealloc.PYTHON311(?,GenericAlias,00000000,?,00000000,?,00007FFB0A8B1311), ref: 00007FFB0A8B8CFD

Strings

%s() got an unexpected keyword argument '%U', xrefs: 00007FFB0A8B8C60
%.200s() keywords must be strings, xrefs: 00007FFB0A8B8C8D
GenericAlias, xrefs: 00007FFB0A8B8A4E
%s() got multiple values for keyword argument '%U', xrefs: 00007FFB0A8B8C69

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dealloc$Err_$CompareFormatOccurredUnicode_$Dict_Next
String ID: %.200s() keywords must be strings$%s() got an unexpected keyword argument '%U'$%s() got multiple values for keyword argument '%U'$GenericAlias
API String ID: 1209267933-2659196485
Opcode ID: 97b04cf10265f7912532a164c5a6d4837cdb769aa05f257d96e0974df34192a9
Instruction ID: 6a09c02b9c2b5ba185f3fb44b821be1b2bb4c582d5c274fa0fc0f95d6ffb27b8
Opcode Fuzzy Hash: 97b04cf10265f7912532a164c5a6d4837cdb769aa05f257d96e0974df34192a9
Instruction Fuzzy Hash: 69914AB3A29B4689EB948F75D850DB827ACFF48B98B144876DE0D53794DF39E481C340

Function 00007FFB0BC7B390 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 114threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7B3EE
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7B40D
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7B429
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7B445
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7B461
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7B47D
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7B4AE
ShellExecuteW.SHELL32 ref: 00007FFB0BC7B4D7
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7B4E3
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7B501
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7B521
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7B52B
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7B535
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7B543

Strings

OOOOOi:ShellExecute, xrefs: 00007FFB0BC7B3D4
ShellExecute, xrefs: 00007FFB0BC7B4FA

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_$U_object@@$Free$Eval_Thread$Arg_Error@@ExecuteParseRestoreSaveShellSizeTuple_Win_
String ID: OOOOOi:ShellExecute$ShellExecute
API String ID: 2977161726-3224373903
Opcode ID: b655fc5aed8402e0ae6a5255a752c1439a1cf3f0ebd221d616720f0b264e9937
Instruction ID: 5a860ba9963ee88734974306929d34ee14cc31ebb1b4e5c5984c657f1172ecf7
Opcode Fuzzy Hash: b655fc5aed8402e0ae6a5255a752c1439a1cf3f0ebd221d616720f0b264e9937
Instruction Fuzzy Hash: 3C514F72709A42B9EB609F75E450AA933A4FB84B88F409136EE1E87F68DF38D505C700

Function 00007FFB0BC71830 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 113COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0BC71871
PyArg_ParseTupleAndKeywords.PYTHON311 ref: 00007FFB0BC718E4
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC71903
memset.VCRUNTIME140 ref: 00007FFB0BC7191E
EnumDisplayDevicesW.USER32 ref: 00007FFB0BC7193E
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC71951
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7195C

Strings

EnumDisplayDevices, xrefs: 00007FFB0BC71860, 00007FFB0BC7194A
DISPLAY_DEVICE structure of size %d greater than supported size of %d, xrefs: 00007FFB0BC7197E
|Okk:EnumDisplayDevices, xrefs: 00007FFB0BC718A2
%s is not available on this platform, xrefs: 00007FFB0BC71867

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_U_object@@$Arg_DevicesDisplayEnumErr_Error@@FormatFreeKeywordsParseTupleWin_memset
String ID: %s is not available on this platform$DISPLAY_DEVICE structure of size %d greater than supported size of %d$EnumDisplayDevices$|Okk:EnumDisplayDevices
API String ID: 3823307438-2876257954
Opcode ID: 9c644e2c00ce270b376a43ee76212b4763f1c992ded73f6e2a7a194bfcadc0b7
Instruction ID: 447cc7a05f6b86e468a7562ddf1385f5c70a4eed62173a6d7f67598a17cc9554
Opcode Fuzzy Hash: 9c644e2c00ce270b376a43ee76212b4763f1c992ded73f6e2a7a194bfcadc0b7
Instruction Fuzzy Hash: 735120B5A08B82B2E6619B21E440B6A73B5FBC5F94F449031EA4E93F64DF7CE505C740

Function 00007FFB0BC7AC40 Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 81threadregistryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7AC58
?PyWinObject_AsHKEY@@YAHPEAU_object@@PEAPEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC7AC70
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7AC90
RegGetKeySecurity.ADVAPI32 ref: 00007FFB0BC7ACAA
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7ACB5
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7ACC9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC7ACE2
PyErr_NoMemory.PYTHON311 ref: 00007FFB0BC7ACF0

Strings

RegGetKeySecurity, xrefs: 00007FFB0BC7ACC2, 00007FFB0BC7AD44
Ol:RegGetKeySecurity, xrefs: 00007FFB0BC7AC4C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_ThreadU_object@@$Arg_Err_Error@@MemoryObject_ParseRestoreSaveSecuritySizeTuple_Win_Y__@@@malloc
String ID: Ol:RegGetKeySecurity$RegGetKeySecurity
API String ID: 918912596-1280912029
Opcode ID: 338e9540deaedde1d83c105c00c1e2e82fbbbdeec9a599b9f821ef1476321839
Instruction ID: 9d5020503a90328487192753d7a93a9d522a623f30717f1ec835dad0fa223e08
Opcode Fuzzy Hash: 338e9540deaedde1d83c105c00c1e2e82fbbbdeec9a599b9f821ef1476321839
Instruction Fuzzy Hash: DF31C0A5A18A82B2DB209B65F844969A361FBC8F91F545031EE4F83F38DF7CD545CB04

Function 00007FFB0BC74F90 Relevance: 29.8, APIs: 13, Strings: 4, Instructions: 75threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC74FA9
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC74FDF
VkKeyScanA.USER32 ref: 00007FFB0BC74FF1
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC74FFD
PyLong_FromLong.PYTHON311 ref: 00007FFB0BC75005
PyUnicode_GetLength.PYTHON311 ref: 00007FFB0BC75020
PyErr_SetString.PYTHON311 ref: 00007FFB0BC750B4

Strings

O:VkKeyScan, xrefs: 00007FFB0BC74FA2
must be a byte string of length 1, xrefs: 00007FFB0BC74FD3
must be a unicode string of length 1, xrefs: 00007FFB0BC7502C
must be a unicode or byte string of length 1, xrefs: 00007FFB0BC750A3

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Thread$Arg_Err_FromLengthLongLong_ParseRestoreSaveScanSizeStringTuple_Unicode_
String ID: O:VkKeyScan$must be a byte string of length 1$must be a unicode or byte string of length 1$must be a unicode string of length 1
API String ID: 819540348-4003332352
Opcode ID: 3dbdf4f6bf24adab2dca4c39caf3c3e1e971b279809510852a910f37732ab275
Instruction ID: a3a8cb1dfc06add1503a52af96be2a3dc2c2f3a2d48eecde1d2901ba55ebac57
Opcode Fuzzy Hash: 3dbdf4f6bf24adab2dca4c39caf3c3e1e971b279809510852a910f37732ab275
Instruction Fuzzy Hash: DC313EA5A08B82B2EA248B25F85497963A1FFC8B81F44D036D94F82B74DF3CE545C745

Function 00007FFB0BC7A9A0 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 118threadregistryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7A9E6
?PyWinObject_AsHKEY@@YAHPEAU_object@@PEAPEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC7A9F8
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7AA29
?PyWinObject_FreeMultipleString@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7AA53
PyMem_Free.PYTHON311 ref: 00007FFB0BC7AA64
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7AA75
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7AA96
RegSetValueExW.ADVAPI32 ref: 00007FFB0BC7AABE
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7AAC9
?PyWinObject_FreeMultipleString@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7AAF7
PyMem_Free.PYTHON311 ref: 00007FFB0BC7AAFF
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7AB07
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7AB11
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7AB24

Strings

RegSetValueEx, xrefs: 00007FFB0BC7AB1D
OOOiO:RegSetValueEx, xrefs: 00007FFB0BC7A9CA

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: FreeObject_$U_object@@$Eval_Mem_MultipleString@@Thread$Arg_Error@@ParseRestoreSaveSizeTuple_ValueWin_Y__@@@
String ID: OOOiO:RegSetValueEx$RegSetValueEx
API String ID: 4231837488-1011897307
Opcode ID: ca14dd6abc674ae6852f6a93d6f041b7a9cdadc47870ded6b3bd58d780d829b7
Instruction ID: e320c0aec5600867b4a27fbe7180947c5b6e98f4108e41c4dac41021aa63a191
Opcode Fuzzy Hash: ca14dd6abc674ae6852f6a93d6f041b7a9cdadc47870ded6b3bd58d780d829b7
Instruction Fuzzy Hash: 205122B2B48642A9EB708BB5E844BBD23A1FB88B54F449135E94F87E68CE3CD445C704

Function 00007FFB0BC761C0 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC761FE
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC76220
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC76240
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7625D
PyErr_SetString.PYTHON311 ref: 00007FFB0BC762A3
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC76322
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7632C
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC76336

Strings

Section data must be terminated by double null, xrefs: 00007FFB0BC76299
OO|O:WriteProfileSection, xrefs: 00007FFB0BC761F3
WriteProfileSection, xrefs: 00007FFB0BC762FE

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_$FreeU_object@@$Arg_Err_ParseSizeStringTuple_
String ID: OO|O:WriteProfileSection$Section data must be terminated by double null$WriteProfileSection
API String ID: 747030270-3105349092
Opcode ID: 799aeef8795939187d6f2bc935f25ea29549fc44ffa0eb64ea0e82489f30aab4
Instruction ID: 5d3c65e6d1445d94021d9dead49fc7c607d64b805221e7a16f8d36ce8b65d9dd
Opcode Fuzzy Hash: 799aeef8795939187d6f2bc935f25ea29549fc44ffa0eb64ea0e82489f30aab4
Instruction Fuzzy Hash: 8A410DB2A18E52B5EB609F71E8449AC33B5FB84B84B449135ED0F97E68DF38E445C304

Function 00007FFB0BC7AE60 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 96threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7AEC1
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7AEE3
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7AF01
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7AF20
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7AF3E
SearchPathW.KERNEL32 ref: 00007FFB0BC7AF70
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7AF7B
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7AF96
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7AFE5
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7AFF0
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7AFFB

Strings

SearchPath, xrefs: 00007FFB0BC7AF8F
OO|O:SearchPath, xrefs: 00007FFB0BC7AEB5

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_$U_object@@$Free$Eval_Thread$Arg_Error@@ParsePathRestoreSaveSearchSizeTuple_Win_
String ID: OO|O:SearchPath$SearchPath
API String ID: 1043343548-3479636443
Opcode ID: b89dc6c2a00b51db5cbb0dc4d74d0d7ff2fcd37c126bbf8fb78eba7283b9057a
Instruction ID: f3359589c48078050e53e0935886c9473223f7945b9081c2ae59d4e577e68d0f
Opcode Fuzzy Hash: b89dc6c2a00b51db5cbb0dc4d74d0d7ff2fcd37c126bbf8fb78eba7283b9057a
Instruction Fuzzy Hash: B44121B1618A82B6EB609B25F454A6A73A4FBC5B84F409035EA8F87F38DF3CD505C744

Function 00007FFB0BC7E370 Relevance: 28.1, APIs: 3, Strings: 13, Instructions: 70COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0BC7E3AD
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7E3ED

Strings

AvailPageFile, xrefs: 00007FFB0BC7E489
{s:k,s:k,s:K,s:K,s:K,s:K,s:K,s:K,s:K}, xrefs: 00007FFB0BC7E431
AvailPhys, xrefs: 00007FFB0BC7E4BB
TotalPhys, xrefs: 00007FFB0BC7E4D4
@, xrefs: 00007FFB0BC7E3D3
%s is not available on this platform, xrefs: 00007FFB0BC7E3A3
Length, xrefs: 00007FFB0BC7E422
MemoryLoad, xrefs: 00007FFB0BC7E413
AvailVirtual, xrefs: 00007FFB0BC7E457
AvailExtendedVirtual, xrefs: 00007FFB0BC7E438
GlobalMemoryStatusEx, xrefs: 00007FFB0BC7E39C, 00007FFB0BC7E3E6
TotalPageFile, xrefs: 00007FFB0BC7E4A2
TotalVirtual, xrefs: 00007FFB0BC7E470

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Err_Error@@FormatU_object@@Win_
String ID: %s is not available on this platform$@$AvailExtendedVirtual$AvailPageFile$AvailPhys$AvailVirtual$GlobalMemoryStatusEx$Length$MemoryLoad$TotalPageFile$TotalPhys$TotalVirtual${s:k,s:k,s:K,s:K,s:K,s:K,s:K,s:K,s:K}
API String ID: 1771588633-1184968265
Opcode ID: 8f3660d0565a42c887fb6425d839c9716033c5b851f901365eaf271ec2e69b8d
Instruction ID: 2ecb8e3b5ca4bf4961996e6f13facce10cf6736f5b40c1d98d7438fcf465f1cc
Opcode Fuzzy Hash: 8f3660d0565a42c887fb6425d839c9716033c5b851f901365eaf271ec2e69b8d
Instruction Fuzzy Hash: 2B41BC75609F86A5EA70CB25F4507AA73A4FB88744F409136DA8E83B38DF3CD159CB40

Function 00007FFB0BC72FE0 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 86threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC73008
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC73026
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC73048
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC73057
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC73065
GetEnvironmentVariableW.KERNEL32 ref: 00007FFB0BC73079
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC73084
PyErr_NoMemory.PYTHON311 ref: 00007FFB0BC73096
?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W_J@Z.PYWINTYPES311 ref: 00007FFB0BC730A4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC730E6
PyMem_Free.PYTHON311 ref: 00007FFB0BC730FB

Strings

GetEnvironmentVariableW, xrefs: 00007FFB0BC730D1
O:GetEnvironmentVariableW, xrefs: 00007FFB0BC73001

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Object_ThreadU_object@@free$Arg_EnvironmentErr_FreeFromMem_MemoryParseRestoreSaveSizeTuple_Variablemalloc
String ID: GetEnvironmentVariableW$O:GetEnvironmentVariableW
API String ID: 442114519-3021908484
Opcode ID: 416fb18958e888185e9b72c34c0e5e46d01c33bec6c252994044743c8f17ead9
Instruction ID: b20161d834a04b34d6d39e2db113fc83b42b89d9b1e456353e55bd9e92b4a951
Opcode Fuzzy Hash: 416fb18958e888185e9b72c34c0e5e46d01c33bec6c252994044743c8f17ead9
Instruction Fuzzy Hash: 9C313AA1B4DA82B2EA345B36E81493972A0BFC4F80F04D031ED0F87F74CE2DE4429208

Function 00007FFB0BC7A830 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 84threadregistryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7A866
?PyWinObject_AsHKEY@@YAHPEAU_object@@PEAPEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC7A87A
PyErr_SetString.PYTHON311 ref: 00007FFB0BC7A89F
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7A8C1
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7A8DC
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7A8EB
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7A902
RegSetValueW.ADVAPI32 ref: 00007FFB0BC7A92D
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7A938
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7A943
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7A94E
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7A966

Strings

RegSetValue, xrefs: 00007FFB0BC7A95F
OOiO:RegSetValue, xrefs: 00007FFB0BC7A854
Type must be win32con.REG_SZ, xrefs: 00007FFB0BC7A895

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_$U_object@@$Free$Eval_Thread$Arg_Err_Error@@ParseRestoreSaveSizeStringTuple_ValueWin_Y__@@@
String ID: OOiO:RegSetValue$RegSetValue$Type must be win32con.REG_SZ
API String ID: 2440488729-3406249925
Opcode ID: 859284c7760a741447147967cba96065c3970fe84f659e840ef432e5589a0e0b
Instruction ID: dc21e6e48418b1b16a72bb3f2ca5792ce16907d40d38c4319dab0fd2e4594b5e
Opcode Fuzzy Hash: 859284c7760a741447147967cba96065c3970fe84f659e840ef432e5589a0e0b
Instruction Fuzzy Hash: 1A41EFB5B18A82A1DB209F65E84496973A1FBC4B80F849136EA5F87B24DF3CD445C704

Function 00007FFB0BC731F0 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 72threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC73207
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC73225
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FFB0BC73247
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC73254
PyErr_NoMemory.PYTHON311 ref: 00007FFB0BC73262
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7326D
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7328A
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FFB0BC7329E
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC732A9
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC732C1
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC732DA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC732E3

Strings

O:ExpandEnvironmentStrings, xrefs: 00007FFB0BC731FE
ExpandEnvironmentStrings, xrefs: 00007FFB0BC732BA

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_$EnvironmentEval_ExpandFreeStringsThreadU_object@@$Arg_Err_Error@@MemoryParseRestoreSaveSizeTuple_Win_freemalloc
String ID: ExpandEnvironmentStrings$O:ExpandEnvironmentStrings
API String ID: 3555446973-3304109119
Opcode ID: e2993454c0857cd1765f8784faa244d3d641c8b522f564f080aabd5d91f9432e
Instruction ID: d9d95ac0f1fee1730c95360335b37be4b5c5dc36d7317dffb21b538fdd6d9ddc
Opcode Fuzzy Hash: e2993454c0857cd1765f8784faa244d3d641c8b522f564f080aabd5d91f9432e
Instruction Fuzzy Hash: B0314FA5B08A92B2EB209B75F844829A3A0FFC8F95B449035ED4F83F34DF6CD4458708

Function 00007FFB0A8B1490 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 165threadCOMMON

Download Yara Rule

APIs

PyDict_Size.PYTHON311 ref: 00007FFB0A8B14F9
PyDict_Size.PYTHON311 ref: 00007FFB0A8B1507
_PyDict_GetItem_KnownHash.PYTHON311 ref: 00007FFB0A8B1525
PyErr_Format.PYTHON311 ref: 00007FFB0A8B15D2
PyThreadState_Get.PYTHON311 ref: 00007FFB0A8B1611
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B1675
PyObject_GetAttr.PYTHON311 ref: 00007FFB0A8B16A5
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B16E4
_PyThreadState_UncheckedGet.PYTHON311 ref: 00007FFB0A8B16F2

Strings

propcache._helpers_c.under_cached_property.__init__, xrefs: 00007FFB0A8B15E7, 00007FFB0A8B16C4
__init__, xrefs: 00007FFB0A8B14AE
%.200s() takes %.8s %zd positional argument%.1s (%zd given), xrefs: 00007FFB0A8B15BC
exactly, xrefs: 00007FFB0A8B15B0

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dict_$DeallocSizeState_Thread$AttrErr_FormatHashItem_KnownObject_Unchecked
String ID: %.200s() takes %.8s %zd positional argument%.1s (%zd given)$__init__$exactly$propcache._helpers_c.under_cached_property.__init__
API String ID: 330995060-1756296840
Opcode ID: f7b6087d35a03432eea17d2e669bca847e7f9f7920b8ea27d5a1b004d298d078
Instruction ID: 4eb0a37868b877cb63b87d2835c08450e33c0523b006aa0548bcbceba56807e0
Opcode Fuzzy Hash: f7b6087d35a03432eea17d2e669bca847e7f9f7920b8ea27d5a1b004d298d078
Instruction Fuzzy Hash: 96716FB7A28B4285EA509B21E454EA933ACFB49B90F584AB2CE5D477E0DF3CE445C740

Function 00007FFB0A8B2400 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 151threadCOMMON

Download Yara Rule

APIs

PyDict_Size.PYTHON311 ref: 00007FFB0A8B2469
PyDict_Size.PYTHON311 ref: 00007FFB0A8B2477
_PyDict_GetItem_KnownHash.PYTHON311 ref: 00007FFB0A8B2495
PyErr_Format.PYTHON311 ref: 00007FFB0A8B2542
PyThreadState_Get.PYTHON311 ref: 00007FFB0A8B2581
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B2602
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B2620
_PyThreadState_UncheckedGet.PYTHON311 ref: 00007FFB0A8B2635

Strings

propcache._helpers_c.cached_property.__init__, xrefs: 00007FFB0A8B2557, 00007FFB0A8B25D7
=, xrefs: 00007FFB0A8B25AE
__init__, xrefs: 00007FFB0A8B241E
%.200s() takes %.8s %zd positional argument%.1s (%zd given), xrefs: 00007FFB0A8B252C
exactly, xrefs: 00007FFB0A8B2520

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dict_$DeallocSizeState_Thread$Err_FormatHashItem_KnownUnchecked
String ID: %.200s() takes %.8s %zd positional argument%.1s (%zd given)$=$__init__$exactly$propcache._helpers_c.cached_property.__init__
API String ID: 1610907679-2699741034
Opcode ID: 89ccbe0495c964dd78be2f3f95b314560fb2eea9ea3ed634ce0be65b2b9926d2
Instruction ID: 824fbba450cceaee648aa3bafbb46c087049bee553b0efef19b6239c109dc8a0
Opcode Fuzzy Hash: 89ccbe0495c964dd78be2f3f95b314560fb2eea9ea3ed634ce0be65b2b9926d2
Instruction Fuzzy Hash: 8F615EB3A29B4295EA609B25E850EA933ACFB48B94F1449B1DD9D437E0EF3CE445C340

Function 00007FFB0BC777A0 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 99COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC777D0
GetVersionExW.KERNEL32 ref: 00007FFB0BC7780F
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC77822

Strings

iiiiNiiiii, xrefs: 00007FFB0BC7791A
GetVersionEx, xrefs: 00007FFB0BC7781B
iiiiN, xrefs: 00007FFB0BC77853
|i:GetVersionEx, xrefs: 00007FFB0BC777C4
format must be 0 or 1 (got %d), xrefs: 00007FFB0BC7799C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_Error@@ParseSizeTuple_U_object@@VersionWin_
String ID: GetVersionEx$format must be 0 or 1 (got %d)$iiiiN$iiiiNiiiii$|i:GetVersionEx
API String ID: 1186762094-3034106869
Opcode ID: dcf5c04dd9bb397404b0f08f91f412e507dded10b7873e94be6950ab2221602e
Instruction ID: ef26ce8842383bda0a4539270157abd61526292de5748ddf684811cb6759cce0
Opcode Fuzzy Hash: dcf5c04dd9bb397404b0f08f91f412e507dded10b7873e94be6950ab2221602e
Instruction Fuzzy Hash: 3051DF76A086C1E6E7709B25F4517AAB7A4FBD8B44F409126DA8E83E68DF3CD505CF00

Function 00007FFB0BC76BB0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 97timeCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC76BE3
GetTimeZoneInformation.KERNEL32 ref: 00007FFB0BC76C01
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC76C17

Strings

i,(lNNlNNl), xrefs: 00007FFB0BC76D20
hhhhhhhh, xrefs: 00007FFB0BC76C6D, 00007FFB0BC76CA2
|i:GetTimeZoneInformation, xrefs: 00007FFB0BC76BD7
GetTimeZoneInformation, xrefs: 00007FFB0BC76C10

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_Error@@InformationParseSizeTimeTuple_U_object@@Win_Zone
String ID: GetTimeZoneInformation$hhhhhhhh$i,(lNNlNNl)$|i:GetTimeZoneInformation
API String ID: 494084890-2351844005
Opcode ID: 559f285eb03c373537a106ecf24c2a7c12b18f707f5938bcb8ff325293489340
Instruction ID: 94cca8d1dc72bdddb669547d13f257fac8e8fe0a7eb2ed38a23a9deb8969f79f
Opcode Fuzzy Hash: 559f285eb03c373537a106ecf24c2a7c12b18f707f5938bcb8ff325293489340
Instruction Fuzzy Hash: 7B516272A18A91EAE3608F71E4405BDB7B1F788B55F008135EE8E92E68DF3CD554DB10

Function 00007FFB0BC78820 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 93registryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON311 ref: 00007FFB0BC78874
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7888C
PyErr_Format.PYTHON311 ref: 00007FFB0BC788C2
?PyWinObject_AsHKEY@@YAHPEAU_object@@PEAPEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC788EA
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC78908
RegDeleteKeyTransactedW.ADVAPI32 ref: 00007FFB0BC7893B
RegDeleteKeyExW.ADVAPI32 ref: 00007FFB0BC78943
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC78956
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC78961
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC78986

Strings

RegDeleteKeyTransacted, xrefs: 00007FFB0BC788AA
OO|kO:RegDeleteKeyEx, xrefs: 00007FFB0BC78848
RegDeleteKeyEx, xrefs: 00007FFB0BC788D7, 00007FFB0BC7894F
%s is not available on this platform, xrefs: 00007FFB0BC788B8

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_$U_object@@$DeleteFree$Arg_Err_Error@@FormatKeywords_ParseSizeTransactedTupleWin_Y__@@@
String ID: %s is not available on this platform$OO|kO:RegDeleteKeyEx$RegDeleteKeyEx$RegDeleteKeyTransacted
API String ID: 406844515-1177429670
Opcode ID: a8d0455f11b2177b5309fb66dcae5d6e1b418cf117256d9bfc6b17e289780467
Instruction ID: a1a1d93d577ca7f5b9cc85db916008f6322e7670df5165ecd986f77df03767d9
Opcode Fuzzy Hash: a8d0455f11b2177b5309fb66dcae5d6e1b418cf117256d9bfc6b17e289780467
Instruction Fuzzy Hash: AD413BB1B19A42B1EB208F32E84896963B4FB84B90F549135DA6EC7B70DF3CE854C750

Function 00007FFB0BC753D0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 88threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC753F3
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7540B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC7542B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC75436
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7544A
GetModuleFileNameW.KERNEL32 ref: 00007FFB0BC7545E
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC75469
PyUnicode_FromWideChar.PYTHON311 ref: 00007FFB0BC75481
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC7548D
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC754B2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC754BB

Strings

GetModuleFileNameW, xrefs: 00007FFB0BC754AB
O:GetModuleFileNameW, xrefs: 00007FFB0BC753E4

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: free$Eval_ThreadU_object@@$Arg_CharError@@FileFromModuleNameObject_ParseRestoreSaveSizeTuple_Unicode_WideWin_malloc
String ID: GetModuleFileNameW$O:GetModuleFileNameW
API String ID: 620236332-2665633720
Opcode ID: 0abda395fb0803b5de2c259cbf2ee36195411d57c0d88a604871dc294e97b4f0
Instruction ID: 2618432189c12b90104faf761a8e53466982e5d945f92efce2537501d2c00081
Opcode Fuzzy Hash: 0abda395fb0803b5de2c259cbf2ee36195411d57c0d88a604871dc294e97b4f0
Instruction Fuzzy Hash: 5F316195B08B82A3EA259B66F8448696360FF84FE1F149031DE0F93F74DE3CD8868704

Function 00007FFB0BC741F0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0BC74219
_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7423E

Strings

i:GetUserNameEx, xrefs: 00007FFB0BC74230
GetUserNameEx, xrefs: 00007FFB0BC74208, 00007FFB0BC742F5
GetUserNameExW, xrefs: 00007FFB0BC7426F
%s is not available on this platform, xrefs: 00007FFB0BC7420F

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_Err_FormatParseSizeTuple_
String ID: %s is not available on this platform$GetUserNameEx$GetUserNameExW$i:GetUserNameEx
API String ID: 365124298-1708107889
Opcode ID: bd7de3162272dddcc34e35a81f89dff6f90e077454c8176aca12eb928da79b20
Instruction ID: 8439d6a8d199d38383ed2ed2c7cc394f3c0a94e92567a124c06e497ff55c1c37
Opcode Fuzzy Hash: bd7de3162272dddcc34e35a81f89dff6f90e077454c8176aca12eb928da79b20
Instruction Fuzzy Hash: 06311EA5A08A82F6EA649B65F84496973A0FBC4F95F449031EA4F83F34DF3CE159C704

Function 00007FFB0BC76A60 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 73threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC76AAC
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC76ACD
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC76AEB
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC76B09
GetTempFileNameW.KERNEL32 ref: 00007FFB0BC76B26
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC76B31
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC76B4C
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC76B82
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC76B8D

Strings

(Ni), xrefs: 00007FFB0BC76B62
GetTempFileName, xrefs: 00007FFB0BC76B45
OO|i:GetTempFileName, xrefs: 00007FFB0BC76AA5

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_$U_object@@$Eval_FreeThread$Arg_Error@@FileNameParseRestoreSaveSizeTempTuple_Win_
String ID: (Ni)$GetTempFileName$OO|i:GetTempFileName
API String ID: 3450990225-3597938607
Opcode ID: a252fd90597c196fb4d96b3da972dd00969e8652b20881d17112496e011d325a
Instruction ID: f2744f984a9ff8964e6ee12e4a4e918a106872c6239ed5fc068e9496dea6a1f7
Opcode Fuzzy Hash: a252fd90597c196fb4d96b3da972dd00969e8652b20881d17112496e011d325a
Instruction Fuzzy Hash: 4A31E365619A86B2EB709B75F854A6AA3A0FBC5B80F409035E94F87F34DF3CD405C740

Function 00007FFB0B2548C8 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 94COMMON

Download Yara Rule

APIs

_PyUnicode_Ready.PYTHON311 ref: 00007FFB0B2548F5
PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FFB0B254927
PyUnicode_Compare.PYTHON311 ref: 00007FFB0B25498A
_Py_Dealloc.PYTHON311 ref: 00007FFB0B25499B
PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FFB0B2549AF
PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FFB0B2549CF
PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FFB0B2549E7
PyErr_SetString.PYTHON311 ref: 00007FFB0B254A0A

Strings

NFKD, xrefs: 00007FFB0B2549DD
invalid normalization form, xrefs: 00007FFB0B254A00
NFC, xrefs: 00007FFB0B254917
NFD, xrefs: 00007FFB0B2549C5
NFKC, xrefs: 00007FFB0B2549A5

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Unicode_$CompareString$With$DeallocErr_Ready
String ID: NFC$NFD$NFKC$NFKD$invalid normalization form
API String ID: 1067165228-3528878251
Opcode ID: a97fda713efcdaed74d0f15b89fc759eef65b993e3755085a36f180e1a2a6872
Instruction ID: 0a11a9ad9b6ca7978ba03e3fecc9b8a6566977dd37250d9b1e5284f7a47d78ab
Opcode Fuzzy Hash: a97fda713efcdaed74d0f15b89fc759eef65b993e3755085a36f180e1a2a6872
Instruction Fuzzy Hash: 2B4137A1A0CA4785EA54AB32E894F79ABA0BF55B84F84C135C95FC67B8DF3CE4449300

Function 00007FFB0BC78050 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 81threadwindowCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC780B5
?PyWinObject_AsPARAM@@YAHPEAU_object@@PEAVPyWin_PARAMHolder@@@Z.PYWINTYPES311 ref: 00007FFB0BC780C8
?PyWinObject_AsPARAM@@YAHPEAU_object@@PEAVPyWin_PARAMHolder@@@Z.PYWINTYPES311 ref: 00007FFB0BC780DB
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC780E5
PostThreadMessageW.USER32 ref: 00007FFB0BC780FC
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC78107
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7811A
PyMem_Free.PYTHON311 ref: 00007FFB0BC78144
??1PyWinBufferView@@QEAA@XZ.PYWINTYPES311 ref: 00007FFB0BC78152
PyMem_Free.PYTHON311 ref: 00007FFB0BC78162
??1PyWinBufferView@@QEAA@XZ.PYWINTYPES311 ref: 00007FFB0BC78170

Strings

PostThreadMessage, xrefs: 00007FFB0BC78113
iI|OO:PostThreadMessage, xrefs: 00007FFB0BC780AE

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: ThreadU_object@@Win_$BufferEval_FreeHolder@@@Mem_Object_View@@$Arg_Error@@MessageParsePostRestoreSaveSizeTuple_
String ID: PostThreadMessage$iI|OO:PostThreadMessage
API String ID: 2138032054-2629939695
Opcode ID: 1383a0ec72b50640771fe6911c22897baf8cb09659dc9e09eb94c94a081ddc68
Instruction ID: c0c698378dd1ed97439f83d99ff37580f7d05381fe9f3561db9679a4374f735d
Opcode Fuzzy Hash: 1383a0ec72b50640771fe6911c22897baf8cb09659dc9e09eb94c94a081ddc68
Instruction Fuzzy Hash: 5C411D76B19A41BAE720CB71E8449A933B4EB84B84F049136EE4F93E64DE38D055C340

Function 00007FFB0BC7DF20 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7DF32
GetKeyboardLayoutList.USER32 ref: 00007FFB0BC7DF57
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC7DF6A
PyErr_Format.PYTHON311 ref: 00007FFB0BC7DF8C

Strings

:GetKeyboardLayoutList, xrefs: 00007FFB0BC7DF2B
GetKeyboardLayoutList, xrefs: 00007FFB0BC7DFA8
Unable to allocate %d bytes, xrefs: 00007FFB0BC7DF7F

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_Err_FormatKeyboardLayoutListParseSizeTuple_malloc
String ID: :GetKeyboardLayoutList$GetKeyboardLayoutList$Unable to allocate %d bytes
API String ID: 2749730152-1085947540
Opcode ID: 48c2e4495508eafe642eecbf5fb080ad96104530990c315de77a4c9101e06291
Instruction ID: aa4f9d13431e83bb1021d766a5fccbaf19b24a438de39f81cb891af69d3aa9ef
Opcode Fuzzy Hash: 48c2e4495508eafe642eecbf5fb080ad96104530990c315de77a4c9101e06291
Instruction Fuzzy Hash: C13109A2B49A82A2EA749B35F844979A3A5FF84F81B08D035DD4FC6F74DE3CE4459204

Function 00007FFB0BC7B030 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 79threadwindowCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7B097
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7B0AB
?PyWinObject_AsPARAM@@YAHPEAU_object@@PEAVPyWin_PARAMHolder@@@Z.PYWINTYPES311 ref: 00007FFB0BC7B0BD
?PyWinObject_AsPARAM@@YAHPEAU_object@@PEAVPyWin_PARAMHolder@@@Z.PYWINTYPES311 ref: 00007FFB0BC7B0D1
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7B0DB
SendMessageW.USER32 ref: 00007FFB0BC7B0F5
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7B101
?PyWinLong_FromVoidPtr@@YAPEAU_object@@PEBX@Z.PYWINTYPES311 ref: 00007FFB0BC7B10A
PyMem_Free.PYTHON311 ref: 00007FFB0BC7B122
??1PyWinBufferView@@QEAA@XZ.PYWINTYPES311 ref: 00007FFB0BC7B132
PyMem_Free.PYTHON311 ref: 00007FFB0BC7B142
??1PyWinBufferView@@QEAA@XZ.PYWINTYPES311 ref: 00007FFB0BC7B150

Strings

OI|OO:SendMessage, xrefs: 00007FFB0BC7B090

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: U_object@@$Object_$BufferEval_FreeHolder@@@Mem_ThreadView@@Win_$Arg_FromLong_MessageParsePtr@@RestoreSaveSendSizeTuple_Void
String ID: OI|OO:SendMessage
API String ID: 3884590075-1672979447
Opcode ID: 89c5f4d2b866058adfef2588d3a0c7e09d3a92d4d818e395060171b1efd2ae09
Instruction ID: 6ad8653df20e2bbbd608a15f22b911c3f7ba8c075b06811bec58d82649fbc570
Opcode Fuzzy Hash: 89c5f4d2b866058adfef2588d3a0c7e09d3a92d4d818e395060171b1efd2ae09
Instruction Fuzzy Hash: 51310A76618B85A5EB209F61F890AA977A4FB84F94F149036EA4E83E68DF3CD445C700

Function 00007FFB0BC74000 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0BC74029
_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7404E

Strings

GetComputerObjectName, xrefs: 00007FFB0BC74018, 00007FFB0BC7407F, 00007FFB0BC74105
i:GetComputerObjectName, xrefs: 00007FFB0BC74040
%s is not available on this platform, xrefs: 00007FFB0BC7401F

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_Err_FormatParseSizeTuple_
String ID: %s is not available on this platform$GetComputerObjectName$i:GetComputerObjectName
API String ID: 365124298-3437859735
Opcode ID: 3822652266c2b13318ff8abef208eecf76582b4006676e7bacbd4dd5bb0496a2
Instruction ID: a5ce96f679d6b31b578ed076de56fbd7f9711e350663d57adfb31b8daaffba5a
Opcode Fuzzy Hash: 3822652266c2b13318ff8abef208eecf76582b4006676e7bacbd4dd5bb0496a2
Instruction Fuzzy Hash: 903134A5A18A82F6EA649B61F84496963A1FFC4F94F449035EA4F83F34DF3CD149C704

Function 00007FFB0A8B9790 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

PyObject_GetAttr.PYTHON311(00000000,?,00000000,00007FFB0A8B3EE8), ref: 00007FFB0A8B97B3
PyErr_ExceptionMatches.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B3CEE), ref: 00007FFB0A8B97CF
PyErr_Clear.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B3CEE), ref: 00007FFB0A8B97DD
PyModule_GetName.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B3CEE), ref: 00007FFB0A8B97E6
PyUnicode_FromString.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B3CEE), ref: 00007FFB0A8B97F8
PyUnicode_Concat.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B3CEE), ref: 00007FFB0A8B9820
PyUnicode_Concat.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B3CEE), ref: 00007FFB0A8B9839
PyImport_GetModule.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B3CEE), ref: 00007FFB0A8B984A
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B3CEE), ref: 00007FFB0A8B985C
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B3CEE), ref: 00007FFB0A8B9870
_Py_Dealloc.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B3CEE), ref: 00007FFB0A8B9884
PyErr_Format.PYTHON311(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFB0A8B3CEE), ref: 00007FFB0A8B98A3

Strings

cannot import name %S, xrefs: 00007FFB0A8B9896

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: DeallocErr_Unicode_$Concat$AttrClearExceptionFormatFromImport_MatchesModuleModule_NameObject_String
String ID: cannot import name %S
API String ID: 1514443377-1503810072
Opcode ID: ee0b48a71bf2206898efe868e3490d2f951a89cf12ea33d01cb10b71ff727435
Instruction ID: b9e22c38b970ac1c924c4da01543b2094eddcc924a4ec0b23605fe56590c2acf
Opcode Fuzzy Hash: ee0b48a71bf2206898efe868e3490d2f951a89cf12ea33d01cb10b71ff727435
Instruction Fuzzy Hash: 4F3134A2E29B4295EE499B72E854D387398AF49FD0F0848B5CE4D073E1EF3DE4558310

Function 00007FFB0BC7EBF0 Relevance: 22.8, APIs: 5, Strings: 8, Instructions: 70threadCOMMON

Download Yara Rule

APIs

PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7EC0F
GetSystemPowerStatus.KERNEL32 ref: 00007FFB0BC7EC1D
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7EC28
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7EC3B
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7ECF8

Strings

BatteryLifeTime, xrefs: 00007FFB0BC7ECAE
SystemStatusFlag, xrefs: 00007FFB0BC7ECC5
ACLineStatus, xrefs: 00007FFB0BC7ECBA
GetSystemPowerStatus, xrefs: 00007FFB0BC7EC34
{s:h, s:h, s:h, s:B, s:L, s:L}, xrefs: 00007FFB0BC7ECE5
BatteryFullLifeTime, xrefs: 00007FFB0BC7EC9D
BatteryFlag, xrefs: 00007FFB0BC7ECF1
BatteryLifePercent, xrefs: 00007FFB0BC7ECD1

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Thread$BuildError@@PowerRestoreSaveSizeStatusSystemU_object@@Value_Win_
String ID: ACLineStatus$BatteryFlag$BatteryFullLifeTime$BatteryLifePercent$BatteryLifeTime$GetSystemPowerStatus$SystemStatusFlag${s:h, s:h, s:h, s:B, s:L, s:L}
API String ID: 1276918903-255212033
Opcode ID: 8f153cc0702c73c62dfb2801653dc333c05a18d886c228fd40e0975e07c56a5c
Instruction ID: ed2eb4d426d4d3d9cf5db8f9714111790f3ab39ff7ece5354a0e814a80c5a29c
Opcode Fuzzy Hash: 8f153cc0702c73c62dfb2801653dc333c05a18d886c228fd40e0975e07c56a5c
Instruction Fuzzy Hash: DC3160B6A08682A5D7308B39F444A7A77E4EB85760F548235E9AE86FB4DF3CD0458B00

Function 00007FFB0BC779D0 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 70threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC779F8
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC77A16
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC77A34
GetVolumeInformationW.KERNEL32 ref: 00007FFB0BC77A7B
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC77A86
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC77A91
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC77AAC
?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W@Z.PYWINTYPES311 ref: 00007FFB0BC77AD7
?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W@Z.PYWINTYPES311 ref: 00007FFB0BC77AE8
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC77B0F

Strings

GetVolumeInformation, xrefs: 00007FFB0BC77AA5
NlllN, xrefs: 00007FFB0BC77AF3
O:GetVolumeInformation, xrefs: 00007FFB0BC779F1

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_U_object@@$Eval_FromSizeThread$Arg_BuildError@@FreeInformationParseRestoreSaveTuple_Value_VolumeWin_
String ID: GetVolumeInformation$NlllN$O:GetVolumeInformation
API String ID: 210089644-666831025
Opcode ID: 7308207c25e7a8be1435433b2fd6909b000dc8dec3da6fc0545dc85ac9f995ad
Instruction ID: 6ab6118097f48e45fec59fecdfcf289e73fd931981821b82ebd5d292f3822a00
Opcode Fuzzy Hash: 7308207c25e7a8be1435433b2fd6909b000dc8dec3da6fc0545dc85ac9f995ad
Instruction Fuzzy Hash: 363113B5618A82A5EB709B21F454A6AB3A0FBC5B94F405036DA8E83F64DF7CD508CB04

Function 00007FFB0A8BA910 Relevance: 22.6, APIs: 15, Instructions: 125COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BA937
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BA950
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BA969
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BA982
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BA99B
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BA9B4
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BA9CD
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BA9E6
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BA9FF
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BAA1E
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BAA3D
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BAA5C
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BAA7B
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BAAAE
PyObject_Free.PYTHON311 ref: 00007FFB0A8BAAC6

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dealloc$FreeObject_
String ID:
API String ID: 4065880080-0
Opcode ID: 06846e1eb939efc8a37275255a5a9963729ca1c7247f40dfdfa7c1e5bc456674
Instruction ID: 723e0fb6b93d3477c5d1874e2aa04e805208b1c6709d01ecb7f3e2bc92dff6fb
Opcode Fuzzy Hash: 06846e1eb939efc8a37275255a5a9963729ca1c7247f40dfdfa7c1e5bc456674
Instruction Fuzzy Hash: 6A51FA77A2AF028AEB9D8F74D554E38B3ACEF54F94F1848B5CA9D06694CF3D94418310

Function 00007FFB0A8B3730 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 167threadCOMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0A8B3858
PyThreadState_Get.PYTHON311 ref: 00007FFB0A8B38B7
PyErr_Format.PYTHON311 ref: 00007FFB0A8B393F
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B3987

Part of subcall function 00007FFB0A8B4E30: PyThreadState_Get.PYTHON311(?,?,?,?,?,?,?,?,?,?,00000000,00007FFB0A8B3957), ref: 00007FFB0A8B4E5F
Part of subcall function 00007FFB0A8B4E30: _PyThreadState_UncheckedGet.PYTHON311(?,?,?,?,?,?,?,?,?,?,00000000,00007FFB0A8B3957), ref: 00007FFB0A8B5269

_PyThreadState_UncheckedGet.PYTHON311 ref: 00007FFB0A8B399B

Strings

__setstate_cython__, xrefs: 00007FFB0A8B375A
propcache._helpers_c.cached_property.__setstate_cython__, xrefs: 00007FFB0A8B3877, 00007FFB0A8B3970
tuple, xrefs: 00007FFB0A8B392A
Expected %s, got %.200s, xrefs: 00007FFB0A8B3935
%.200s() takes %.8s %zd positional argument%.1s (%zd given), xrefs: 00007FFB0A8B3842
exactly, xrefs: 00007FFB0A8B3836

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: State_Thread$Err_FormatUnchecked$Dealloc
String ID: %.200s() takes %.8s %zd positional argument%.1s (%zd given)$Expected %s, got %.200s$__setstate_cython__$exactly$propcache._helpers_c.cached_property.__setstate_cython__$tuple
API String ID: 2018481400-232861745
Opcode ID: c759d053d1816ad815471068b121eec415458778e64c89e1525112e7bdcf643e
Instruction ID: f16822120bf7aa98c39103edbc4dead2394dd1a05ad4d6e0ca118a503a940776
Opcode Fuzzy Hash: c759d053d1816ad815471068b121eec415458778e64c89e1525112e7bdcf643e
Instruction Fuzzy Hash: BD717DB7A28B4295EA219B61E800EB973A8FF45B84F0448B6DD4D0BBE1DF3CE445C700

Function 00007FFB0A8B2150 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 167threadCOMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0A8B2278
PyThreadState_Get.PYTHON311 ref: 00007FFB0A8B22D7
PyErr_Format.PYTHON311 ref: 00007FFB0A8B235F
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B23A7

Part of subcall function 00007FFB0A8B41D0: PyThreadState_Get.PYTHON311(?,?,?,?,?,?,?,?,?,?,00000000,00007FFB0A8B2377), ref: 00007FFB0A8B41FF
Part of subcall function 00007FFB0A8B41D0: _PyThreadState_UncheckedGet.PYTHON311(?,?,?,?,?,?,?,?,?,?,00000000,00007FFB0A8B2377), ref: 00007FFB0A8B4609

_PyThreadState_UncheckedGet.PYTHON311 ref: 00007FFB0A8B23BB

Strings

__setstate_cython__, xrefs: 00007FFB0A8B217A
tuple, xrefs: 00007FFB0A8B234A
Expected %s, got %.200s, xrefs: 00007FFB0A8B2355
%.200s() takes %.8s %zd positional argument%.1s (%zd given), xrefs: 00007FFB0A8B2262
propcache._helpers_c.under_cached_property.__setstate_cython__, xrefs: 00007FFB0A8B2297, 00007FFB0A8B2390
exactly, xrefs: 00007FFB0A8B2256

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: State_Thread$Err_FormatUnchecked$Dealloc
String ID: %.200s() takes %.8s %zd positional argument%.1s (%zd given)$Expected %s, got %.200s$__setstate_cython__$exactly$propcache._helpers_c.under_cached_property.__setstate_cython__$tuple
API String ID: 2018481400-2008808743
Opcode ID: 571c03757c974fb3171f06363c85f042f33bf8fe8e3be163c21f8f4dd6ac5a8b
Instruction ID: 553e9b0e52bf699649f83d75bf429356ef3934d934c570806a4ff55464cf63f6
Opcode Fuzzy Hash: 571c03757c974fb3171f06363c85f042f33bf8fe8e3be163c21f8f4dd6ac5a8b
Instruction Fuzzy Hash: C87161B3A28B4695EA619B61E840EF963ACFB49B84F0448B6DD4D477E1EF3CE445C340

Function 00007FFB0A8B91B0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 96COMMON

Download Yara Rule

APIs

PyErr_SetObject.PYTHON311(?,?,00000000,00007FFB0A8B2C52), ref: 00007FFB0A8B9204
_Py_Dealloc.PYTHON311(?,?,00000000,00007FFB0A8B2C52), ref: 00007FFB0A8B9220
PyObject_IsSubclass.PYTHON311(?,?,00000000,00007FFB0A8B2C52), ref: 00007FFB0A8B9263
PyTuple_Pack.PYTHON311(?,?,00000000,00007FFB0A8B2C52), ref: 00007FFB0A8B929B
PyObject_Call.PYTHON311(?,?,00000000,00007FFB0A8B2C52), ref: 00007FFB0A8B92BC
_Py_Dealloc.PYTHON311(?,?,00000000,00007FFB0A8B2C52), ref: 00007FFB0A8B92CE
PyErr_Format.PYTHON311(?,?,00000000,00007FFB0A8B2C52), ref: 00007FFB0A8B9305
PyErr_SetString.PYTHON311(?,?,00000000,00007FFB0A8B2C52), ref: 00007FFB0A8B9321

Strings

raise: exception class must be a subclass of BaseException, xrefs: 00007FFB0A8B9310
instance exception may not have a separate value, xrefs: 00007FFB0A8B91EC
calling %R should have returned an instance of BaseException, not %R, xrefs: 00007FFB0A8B92F8

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Err_$DeallocObject_$CallFormatObjectPackStringSubclassTuple_
String ID: calling %R should have returned an instance of BaseException, not %R$instance exception may not have a separate value$raise: exception class must be a subclass of BaseException
API String ID: 804055375-546692596
Opcode ID: e7fd62e4b8c85a9cb3237450bf2db532b398ffccca8558836c7f7334fc972ebd
Instruction ID: 03ffaeb398f05dd9a03ecd0322093dd56615c9221b7b2476864dc4e505505f44
Opcode Fuzzy Hash: e7fd62e4b8c85a9cb3237450bf2db532b398ffccca8558836c7f7334fc972ebd
Instruction Fuzzy Hash: F74151A3A28B4285EA548B36D944E79B368BF48F84F4858B1DE5E07BE4DF2CE441C300

Function 00007FFB0BC749B0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC749DC
PyMem_Free.PYTHON311 ref: 00007FFB0BC749F9
PyUnicode_AsWideCharString.PYTHON311 ref: 00007FFB0BC74A18
CommandLineToArgvW.SHELL32 ref: 00007FFB0BC74A3C
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC74A53
PyList_New.PYTHON311 ref: 00007FFB0BC74A5E
?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W@Z.PYWINTYPES311 ref: 00007FFB0BC74A7A
LocalFree.KERNEL32 ref: 00007FFB0BC74A9C
_Py_Dealloc.PYTHON311 ref: 00007FFB0BC74AB2
LocalFree.KERNEL32 ref: 00007FFB0BC74ABD
PyMem_Free.PYTHON311 ref: 00007FFB0BC74AD9

Strings

CommandLineToArgvW, xrefs: 00007FFB0BC74A4C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Free$LocalMem_U_object@@$Arg_ArgvCharCommandDeallocError@@FromLineList_Object_ParseSizeStringTuple_Unicode_WideWin_
String ID: CommandLineToArgvW
API String ID: 2536588345-1958408031
Opcode ID: cdc46e895df7a1fad435388270587eb311827fc9473e801e9b0c15b36d0aa305
Instruction ID: c06bf872b015951d32db8b5574ffd774cb4e3719b4fe8a2f8ef2eb9e2aefa007
Opcode Fuzzy Hash: cdc46e895df7a1fad435388270587eb311827fc9473e801e9b0c15b36d0aa305
Instruction Fuzzy Hash: 8A313171B49B82B6EA758F26E45067963A0FF88F94F089135E98F87B64DF3CE4448704

Function 00007FFB0BC71B90 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0BC71BD1
PyArg_ParseTupleAndKeywords.PYTHON311 ref: 00007FFB0BC71C44
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC71C63
memset.VCRUNTIME140 ref: 00007FFB0BC71C88
EnumDisplaySettingsExW.USER32 ref: 00007FFB0BC71CA8
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC71CC3
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC71CCE

Strings

|Okk:EnumDisplaySettingsEx, xrefs: 00007FFB0BC71C02
%s is not available on this platform, xrefs: 00007FFB0BC71BC7
EnumDisplaySettingsEx, xrefs: 00007FFB0BC71BC0, 00007FFB0BC71CBC

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_U_object@@$Arg_DisplayEnumErr_Error@@FormatFreeKeywordsParseSettingsTupleWin_memset
String ID: %s is not available on this platform$EnumDisplaySettingsEx$|Okk:EnumDisplaySettingsEx
API String ID: 440485704-2119414348
Opcode ID: 0c3b029565aa2305f741d2336bc5e4068acb6dda3a9ef9d930f17f0e9deffeab
Instruction ID: 85f9f16a6bd1d4c0f444af30a760413ad9ff8a1d18796a42632af5de028e30a3
Opcode Fuzzy Hash: 0c3b029565aa2305f741d2336bc5e4068acb6dda3a9ef9d930f17f0e9deffeab
Instruction Fuzzy Hash: C84100B6608A86A1E7709F21E8547AA73A0FBC9B44F549035DA8E97B24DF3CD505C700

Function 00007FFB0BC79BA0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0BC79BCF
_PyArg_ParseTupleAndKeywords_SizeT.PYTHON311 ref: 00007FFB0BC79C3C

Strings

%s is not available on this platform, xrefs: 00007FFB0BC79BC5
RegOpenKeyTransacted, xrefs: 00007FFB0BC79BBE, 00007FFB0BC79CE4
OOkO|k:RegOpenKeyTransacted, xrefs: 00007FFB0BC79C05

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_Err_FormatKeywords_ParseSizeTuple
String ID: %s is not available on this platform$OOkO|k:RegOpenKeyTransacted$RegOpenKeyTransacted
API String ID: 318405110-1685537870
Opcode ID: 449b11c8928072a93ed3716cd2e8f9146e7916c058238a5cfe0f5a681b46b0ad
Instruction ID: a5d9cd36773fef43e5a1a5e0839fd6ce428157e2327e1ddecaae878dfefbf1f6
Opcode Fuzzy Hash: 449b11c8928072a93ed3716cd2e8f9146e7916c058238a5cfe0f5a681b46b0ad
Instruction Fuzzy Hash: CC41D1B1608A82A1DB708B65F444BAA73A4FBD4B84F409135DA8EC3E74DF7CD148CB40

Function 00007FFB0B2524D0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

PyModule_AddStringConstant.PYTHON311 ref: 00007FFB0B2524F0
PyType_FromSpec.PYTHON311 ref: 00007FFB0B252505
PyModule_AddType.PYTHON311 ref: 00007FFB0B25251D
_Py_Dealloc.PYTHON311 ref: 00007FFB0B253EBD

Part of subcall function 00007FFB0B2525B0: _PyObject_GC_New.PYTHON311(?,?,00000000,00007FFB0B252533), ref: 00007FFB0B2525B6
Part of subcall function 00007FFB0B2525B0: PyObject_GC_Track.PYTHON311(?,?,00000000,00007FFB0B252533), ref: 00007FFB0B2525E8

PyModule_AddObject.PYTHON311 ref: 00007FFB0B252552
PyModule_AddObjectRef.PYTHON311 ref: 00007FFB0B25257A
_Py_Dealloc.PYTHON311 ref: 00007FFB0B253ECC
_Py_Dealloc.PYTHON311 ref: 00007FFB0B253EEA

Part of subcall function 00007FFB0B252620: PyMem_Malloc.PYTHON311(?,?,00000000,00007FFB0B252565), ref: 00007FFB0B25262B
Part of subcall function 00007FFB0B252620: PyCapsule_New.PYTHON311(?,?,00000000,00007FFB0B252565), ref: 00007FFB0B252668

Strings

unidata_version, xrefs: 00007FFB0B2524E9
_ucnhash_CAPI, xrefs: 00007FFB0B252570
14.0.0, xrefs: 00007FFB0B2524DF
ucd_3_2_0, xrefs: 00007FFB0B252548

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Module_$Dealloc$ObjectObject_$Capsule_ConstantFromMallocMem_SpecStringTrackTypeType_
String ID: 14.0.0$_ucnhash_CAPI$ucd_3_2_0$unidata_version
API String ID: 288921926-1430584071
Opcode ID: 34ac006824e125b38f87d2d071ae01d9c336cf72669efd439cdbfbf994d14880
Instruction ID: 998041adc2c198e1f4f758fa62e75b180bb6cbfc72157e2c58493b5b086846d5
Opcode Fuzzy Hash: 34ac006824e125b38f87d2d071ae01d9c336cf72669efd439cdbfbf994d14880
Instruction Fuzzy Hash: 7221EAE1E29A0391FA19AB36E824E792A94AF59BD1F48D134D90FC66B4DF3CE4458300

Function 00007FFB0BC7B680 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 73threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7B6B4
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7B6CC
PyBytes_AsString.PYTHON311 ref: 00007FFB0BC7B706
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7B73C
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7B754
WinHelpW.USER32 ref: 00007FFB0BC7B777
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7B782
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7B78D
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7B7AA

Strings

WinHelp, xrefs: 00007FFB0BC7B7A3
OOi|O:WinHelp, xrefs: 00007FFB0BC7B6A5

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_U_object@@$Eval_Thread$Arg_Bytes_Error@@FreeHelpParseRestoreSaveSizeStringTuple_Win_
String ID: OOi|O:WinHelp$WinHelp
API String ID: 3216590905-3128034683
Opcode ID: 4acb1a6e6c142f72efd2c76f19918a2e21532d813e4e68d9ddf70571da835d24
Instruction ID: 7f988267866c5ed1a4dfbbe8fa3aefa342d064b1b73be8ae065f9093160ca0fa
Opcode Fuzzy Hash: 4acb1a6e6c142f72efd2c76f19918a2e21532d813e4e68d9ddf70571da835d24
Instruction Fuzzy Hash: 8331F0A5A18A86B1EB609B35E894A6973A4FB84B80F44D035EA4F83B74DF3CD845C710

Function 00007FFB0BC797C0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 68threadregistryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC797F3
?PyWinObject_AsHKEY@@YAHPEAU_object@@PEAPEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC7980F
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7982D
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC79847
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7985B
RegLoadKeyW.ADVAPI32 ref: 00007FFB0BC79873
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7987E
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC79896
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC798B9
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC798C4

Strings

OOO:RegLoadKey, xrefs: 00007FFB0BC797E7
RegLoadKey, xrefs: 00007FFB0BC7988F

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_$U_object@@$Eval_FreeThread$Arg_Error@@LoadParseRestoreSaveSizeTuple_Win_Y__@@@
String ID: OOO:RegLoadKey$RegLoadKey
API String ID: 2577816565-1174909360
Opcode ID: e003d19809921ccaf386b5a753c40d3209df162ea939185c81d42507128bc3d8
Instruction ID: 9b7c6394ecf5b00a2e80643f1b40dec6f1536bb030ed3affa08ff3e56a9f9f17
Opcode Fuzzy Hash: e003d19809921ccaf386b5a753c40d3209df162ea939185c81d42507128bc3d8
Instruction Fuzzy Hash: 5431E2B1A18A81B2EB208B35F84496A63A1FBC5B80F549131EA5F87F38DF3CD445CB44

Function 00007FFB0BC7C870 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7C89D
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7C8B5
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC7C8D7
PyErr_Format.PYTHON311 ref: 00007FFB0BC7C8F9
LoadStringW.USER32 ref: 00007FFB0BC7C91F
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7C932
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC7C93E

Strings

LoadString, xrefs: 00007FFB0BC7C92B
Allocating buffer of %d bytes for LoadString, xrefs: 00007FFB0BC7C8EC
Oi|i:LoadString, xrefs: 00007FFB0BC7C896

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: U_object@@$Arg_Err_Error@@FormatLoadObject_ParseSizeStringTuple_Win_freemalloc
String ID: Allocating buffer of %d bytes for LoadString$LoadString$Oi|i:LoadString
API String ID: 4030849388-709151105
Opcode ID: b58a93010999f634ec0e49d7852be48c24698de74d26617d4e589b6d71beffd6
Instruction ID: ef1d5c0e0937d814ea8beffe2ce4e683995d39492f2c27f9597b7cc118a7ca85
Opcode Fuzzy Hash: b58a93010999f634ec0e49d7852be48c24698de74d26617d4e589b6d71beffd6
Instruction Fuzzy Hash: D331FEB5708B86A2DA508B26F84446AA3A1FBC5BC5F449031EE4E83F28DF7CE405CB44

Function 00007FFB0BC72BF0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 60threadfileCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC72C1D
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC72C37
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC72C51
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC72C60
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC72C77
CopyFileW.KERNEL32 ref: 00007FFB0BC72C8F
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC72C9A
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC72CA5
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC72CB0
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC72CCD

Strings

OO|i:CopyFile, xrefs: 00007FFB0BC72C16
CopyFile, xrefs: 00007FFB0BC72CC6

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_$FreeU_object@@$Eval_Thread$Arg_CopyError@@FileParseRestoreSaveSizeTuple_Win_
String ID: CopyFile$OO|i:CopyFile
API String ID: 920724723-317066227
Opcode ID: b9ac930c3517507e2c748a94f5cdd5afbf644376c1f14fe4db4b9788563a8530
Instruction ID: d9d104181b2f902d65d43d75a46118cfb904f1194ad7290889cee6258baac223
Opcode Fuzzy Hash: b9ac930c3517507e2c748a94f5cdd5afbf644376c1f14fe4db4b9788563a8530
Instruction Fuzzy Hash: 1321E1A5A18A82A2EB109B35E85496A73A1FBC5F84F509036EA4F87F34DF3CD015CB04

Function 00007FFB0BC7CE20 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7CE41
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7CE59
?PyWinObject_AsResourceId@@YAHPEAU_object@@PEAPEA_WH@Z.PYWINTYPES311 ref: 00007FFB0BC7CE74
PyList_New.PYTHON311 ref: 00007FFB0BC7CE89
EnumResourceNamesW.KERNEL32 ref: 00007FFB0BC7CEAB
PyErr_Occurred.PYTHON311 ref: 00007FFB0BC7CEB5
GetLastError.KERNEL32 ref: 00007FFB0BC7CEC0
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7CEDA
_Py_Dealloc.PYTHON311 ref: 00007FFB0BC7CEE9
?PyWinObject_FreeResourceId@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7CEF6

Strings

EnumResourceNames, xrefs: 00007FFB0BC7CED3
OO:EnumResourceNames, xrefs: 00007FFB0BC7CE30

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_ResourceU_object@@$Id@@$Arg_DeallocEnumErr_ErrorError@@FreeLastList_NamesOccurredParseSizeTuple_Win_
String ID: EnumResourceNames$OO:EnumResourceNames
API String ID: 3569070608-2028383064
Opcode ID: 62899b493a42a1e2fab29842aed5b72ece9ffc1a6ba619eb3f7fb7571e2518c0
Instruction ID: c0d67c5b506bd87a8cb064396a48b7e0c785b4dcc5070672712d01ec32619c8c
Opcode Fuzzy Hash: 62899b493a42a1e2fab29842aed5b72ece9ffc1a6ba619eb3f7fb7571e2518c0
Instruction Fuzzy Hash: 8E2156A1A08A83B1EB608B75E844A6A63A0FF84F94F44D035E94FC6E74EF7CE545C704

Function 00007FFB0A8B4640 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 187COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFB0A8B47D0
PyErr_Format.PYTHON311 ref: 00007FFB0A8B4822
PyErr_Format.PYTHON311 ref: 00007FFB0A8B48E5
PyErr_Occurred.PYTHON311 ref: 00007FFB0A8B4913

Strings

propcache._helpers_c.__pyx_unpickle_cached_property, xrefs: 00007FFB0A8B492A
%.200s() takes %.8s %zd positional argument%.1s (%zd given), xrefs: 00007FFB0A8B480F, 00007FFB0A8B4871, 00007FFB0A8B48D2
exactly, xrefs: 00007FFB0A8B47FC, 00007FFB0A8B485E, 00007FFB0A8B48BF
__pyx_unpickle_cached_property, xrefs: 00007FFB0A8B4788, 00007FFB0A8B4808, 00007FFB0A8B486A, 00007FFB0A8B48CB

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Err_$FormatOccurred
String ID: %.200s() takes %.8s %zd positional argument%.1s (%zd given)$__pyx_unpickle_cached_property$exactly$propcache._helpers_c.__pyx_unpickle_cached_property
API String ID: 4038069558-2396632939
Opcode ID: 22a75406606519377ae20db47fbc1ff31b3813de01d1ba83042edb6ae53c161c
Instruction ID: e7b18466561255cee6f254c0eb8fa7798f58024c9cd5ff925b4e174860929a66
Opcode Fuzzy Hash: 22a75406606519377ae20db47fbc1ff31b3813de01d1ba83042edb6ae53c161c
Instruction Fuzzy Hash: 209180B7A2DB4285FA209B31E441EA963ACFB49B80F244976DA8D077E5DF3DE445C700

Function 00007FFB0A8B39E0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 187COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFB0A8B3B70
PyErr_Format.PYTHON311 ref: 00007FFB0A8B3BC2
PyErr_Format.PYTHON311 ref: 00007FFB0A8B3C85
PyErr_Occurred.PYTHON311 ref: 00007FFB0A8B3CB3

Strings

__pyx_unpickle_under_cached_property, xrefs: 00007FFB0A8B3B28, 00007FFB0A8B3BA8, 00007FFB0A8B3C0A, 00007FFB0A8B3C6B
propcache._helpers_c.__pyx_unpickle_under_cached_property, xrefs: 00007FFB0A8B3CCA
%.200s() takes %.8s %zd positional argument%.1s (%zd given), xrefs: 00007FFB0A8B3BAF, 00007FFB0A8B3C11, 00007FFB0A8B3C72
exactly, xrefs: 00007FFB0A8B3B9C, 00007FFB0A8B3BFE, 00007FFB0A8B3C5F

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Err_$FormatOccurred
String ID: %.200s() takes %.8s %zd positional argument%.1s (%zd given)$__pyx_unpickle_under_cached_property$exactly$propcache._helpers_c.__pyx_unpickle_under_cached_property
API String ID: 4038069558-328849803
Opcode ID: 199479f8be07e657bb478d0733215b0648bcb53ca0706e890ccdcd23389438b8
Instruction ID: b67b2011494b776fb0884f8fb15ce01b66daea83d63c31d96988d8c00789ac07
Opcode Fuzzy Hash: 199479f8be07e657bb478d0733215b0648bcb53ca0706e890ccdcd23389438b8
Instruction Fuzzy Hash: 9A9140B3A2DF4295EA519B61E450EA973ACFB84B80F240976D98D0BBE4DF3CE445C740

Function 00007FFB0B251090 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FFB0B2510BD
PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FFB0B2510D5
PyType_IsSubtype.PYTHON311 ref: 00007FFB0B2510FD

Part of subcall function 00007FFB0B2511D0: PyMem_Malloc.PYTHON311 ref: 00007FFB0B251252
Part of subcall function 00007FFB0B2511D0: PyMem_Free.PYTHON311 ref: 00007FFB0B25136E

PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FFB0B25366E

Strings

NFKD, xrefs: 00007FFB0B2536A6
invalid normalization form, xrefs: 00007FFB0B2536F6
NFC, xrefs: 00007FFB0B2510B3
NFD, xrefs: 00007FFB0B253664
NFKC, xrefs: 00007FFB0B2510CB

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: CompareStringUnicode_With$Mem_$FreeMallocSubtypeType_
String ID: NFC$NFD$NFKC$NFKD$invalid normalization form
API String ID: 1723213316-3528878251
Opcode ID: c1d1483b359176232031dcda17eceefdd4cd98cc21702f49892afc3e67e82068
Instruction ID: ec4d94a34765bbef366bb8070450d60ac4f7bedca3a1d87da08980b259e49981
Opcode Fuzzy Hash: c1d1483b359176232031dcda17eceefdd4cd98cc21702f49892afc3e67e82068
Instruction Fuzzy Hash: 13518CA1A0C65382FA64AB32E814F7A5B90AF56BC5F14D031DE5FD7BA5CE3CE4118700

Function 00007FFB0A8B9FF0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON311 ref: 00007FFB0A8BA042
PyErr_NoMemory.PYTHON311 ref: 00007FFB0A8BA050
PyTuple_New.PYTHON311 ref: 00007FFB0A8BA084
PyMem_Free.PYTHON311 ref: 00007FFB0A8BA095

Strings

keywords must be strings, xrefs: 00007FFB0A8BA162

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Mem_$Err_FreeMallocMemoryTuple_
String ID: keywords must be strings
API String ID: 4138657551-2673384963
Opcode ID: dfbb985f5cd2d5098a5922da85a47926648cb9233e25c331ee03387cf8f86b96
Instruction ID: cdc32cc945c133b2749d809cb614382d16295de2699e089521fa5df80dd0ceea
Opcode Fuzzy Hash: dfbb985f5cd2d5098a5922da85a47926648cb9233e25c331ee03387cf8f86b96
Instruction Fuzzy Hash: 9351AF73B18B8686DA558F25E844A6AB3A8FB85FC4F444871DE8D037A4DF3CD405C700

Function 00007FFB0BC76070 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC760A5
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC760C8
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC760E7
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC76138
GetPrivateProfileSectionW.KERNEL32 ref: 00007FFB0BC76156
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC76169
?PyWinObject_FromMultipleString@@YAPEAU_object@@PEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC76179
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC76196
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC761A1

Strings

O|O:GetProfileSection, xrefs: 00007FFB0BC76092

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_$U_object@@$Eval_FreeThread$Arg_FromMultipleParsePrivateProfileRestoreSaveSectionSizeString@@Tuple_
String ID: O|O:GetProfileSection
API String ID: 2101841525-1461128879
Opcode ID: 438774a2a02dbfdd15e31e9499cc7cda64a15aa1b3e7f1bdae13d0b01ebb19e9
Instruction ID: 650df1183bee1b0baff3d1ecc90de64b79823d2acc291e2764f7f834ed2b76a2
Opcode Fuzzy Hash: 438774a2a02dbfdd15e31e9499cc7cda64a15aa1b3e7f1bdae13d0b01ebb19e9
Instruction Fuzzy Hash: 1D314F72A58B82A2EA209B71E854969A3A0FFC4B90F449135EE5F87F75DE3CE444C700

Function 00007FFB0BC7A1D0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 78registryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7A20C
?PyWinObject_AsHKEY@@YAHPEAU_object@@PEAPEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC7A225
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7A242
RegQueryValueW.ADVAPI32 ref: 00007FFB0BC7A25F
PyErr_NoMemory.PYTHON311 ref: 00007FFB0BC7A299
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7A2DB

Strings

RegQueryValue, xrefs: 00007FFB0BC7A2BC
OO:RegQueryValue, xrefs: 00007FFB0BC7A1FA

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_$U_object@@$Arg_Err_FreeMemoryParseQuerySizeTuple_ValueY__@@@
String ID: OO:RegQueryValue$RegQueryValue
API String ID: 3496172226-4256734064
Opcode ID: 9a3dd86813e91bd4321616e40dc339e09bdd81efb758406ce689c550bbcc9539
Instruction ID: a5a5b2c37f6b6979ed0d84fbb4ddcdb7baea77ddca67983dde24f855d7d55b7f
Opcode Fuzzy Hash: 9a3dd86813e91bd4321616e40dc339e09bdd81efb758406ce689c550bbcc9539
Instruction Fuzzy Hash: 3F3113A1604A86B5DB209F71D8409E923A0FF84B99744D132EA1F87EA4DF39D545C340

Function 00007FFB0BC7BA80 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 77threadwindowCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7BADF
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7BB01
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7BB1D
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7BB36
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7BB48
MessageBoxExW.USER32 ref: 00007FFB0BC7BB6A
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7BB75
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7BB84
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7BB99
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7BBA3

Strings

OO|Oli:MessageBox(Ex), xrefs: 00007FFB0BC7BABB

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_$U_object@@$Eval_FreeSizeThread$Arg_BuildMessageParseRestoreSaveTuple_Value_
String ID: OO|Oli:MessageBox(Ex)
API String ID: 19783654-3619530671
Opcode ID: 64750fe2e18ca23f59e74e85a1b64e4627a8e13da79202743e0c928f5a3a2d7e
Instruction ID: 47ff667422c2ac7bb13fbb50bd47f18d382e448c49add48bee4039428468dcb0
Opcode Fuzzy Hash: 64750fe2e18ca23f59e74e85a1b64e4627a8e13da79202743e0c928f5a3a2d7e
Instruction Fuzzy Hash: 47310E72B14B41A9E7208F71E8809AD37B4FB88B88B445136DE4E97F28DF38D544C744

Function 00007FFB0BC72E00 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 69filethreadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC72E35
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC72E4D
DragQueryFileW.SHELL32 ref: 00007FFB0BC72E72
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC72E81
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC72EAF
DragQueryFileW.SHELL32 ref: 00007FFB0BC72ECC
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC72ED7
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC72EFA

Strings

O|i:DragQueryFile, xrefs: 00007FFB0BC72E24
DragQueryFile, xrefs: 00007FFB0BC72EF3

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: DragEval_FileQuerySizeThreadU_object@@$Arg_BuildError@@Object_ParseRestoreSaveTuple_Value_Win_
String ID: DragQueryFile$O|i:DragQueryFile
API String ID: 28251646-4176030986
Opcode ID: d133d98aaefe80f786115a19559a43f01dff64ef6ce3419278a30672724fb6d2
Instruction ID: 4aaf24f68695e47fdb57736b92f9bf9f9da6a9c4b54873ed69ca8c96d09e912b
Opcode Fuzzy Hash: d133d98aaefe80f786115a19559a43f01dff64ef6ce3419278a30672724fb6d2
Instruction Fuzzy Hash: 3C3100B5A0C982B2EB709B31F859B6A6360FBC8B54F845131D99E87A65DF3CD105CA04

Function 00007FFB0BC77DF0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 65threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC77E27
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC77E49
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC77E64
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC77E78
MoveFileExW.KERNEL32 ref: 00007FFB0BC77E90
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC77E9B
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC77EB8
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC77ED6
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC77EE1

Strings

OOi:MoveFileEx, xrefs: 00007FFB0BC77E18
MoveFileEx, xrefs: 00007FFB0BC77EB1

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_$U_object@@$Eval_FreeThread$Arg_Error@@FileMoveParseRestoreSaveSizeTuple_Win_
String ID: MoveFileEx$OOi:MoveFileEx
API String ID: 1139354801-2883942482
Opcode ID: cee776663d26fb81336bb66b9ab79fd4c32a38cc1876e0b9166ef4ad10bc3fa9
Instruction ID: 1c2209fae235fdceddb9363ffe82e2f351bfa2a0fd081755d27f62267761612e
Opcode Fuzzy Hash: cee776663d26fb81336bb66b9ab79fd4c32a38cc1876e0b9166ef4ad10bc3fa9
Instruction Fuzzy Hash: C3310DB2A18B56B2EB609B35E84496973A1FBC4F80B419132EA5E87F34DF3CD845C744

Function 00007FFB0BC79A80 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 63threadregistryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC79ABE
?PyWinObject_AsHKEY@@YAHPEAU_object@@PEAPEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC79AD6
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC79AF5
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC79B0D
RegOpenKeyExW.ADVAPI32 ref: 00007FFB0BC79B3A
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC79B45
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC79B50
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC79B68
?PyWinObject_FromHKEY@@YAPEAU_object@@PEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC79B7D

Strings

RegOpenKeyEx, xrefs: 00007FFB0BC79B61
OO|ii:RegOpenKey, xrefs: 00007FFB0BC79AAC

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_U_object@@$Eval_ThreadY__@@@$Arg_Error@@FreeFromOpenParseRestoreSaveSizeTuple_Win_
String ID: OO|ii:RegOpenKey$RegOpenKeyEx
API String ID: 3334023222-2694016402
Opcode ID: 953fead99f0995e553282202304a4e2bcc4739e81b2793e06170bfd6f914f90a
Instruction ID: 2928fd5cb92cb787cc100ee521f1ff4d4fd22dc972b27560be5c3ba5cd421ff7
Opcode Fuzzy Hash: 953fead99f0995e553282202304a4e2bcc4739e81b2793e06170bfd6f914f90a
Instruction Fuzzy Hash: F5312476B18B82B2DB209F61F44496973A1FBC4B80F945136DA5E83B24DF3DD549CB40

Function 00007FFB0BC7A5B0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 62threadregistryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7A5E7
?PyWinObject_AsHKEY@@YAHPEAU_object@@PEAPEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC7A5FF
?PyWinObject_AsSECURITY_ATTRIBUTES@@YAHPEAU_object@@PEAPEAU_SECURITY_ATTRIBUTES@@H@Z.PYWINTYPES311 ref: 00007FFB0BC7A61D
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7A63B
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7A64F
RegSaveKeyW.ADVAPI32 ref: 00007FFB0BC7A667
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7A672
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7A67D
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7A695

Strings

OO|O:RegSaveKey, xrefs: 00007FFB0BC7A5E0
RegSaveKey, xrefs: 00007FFB0BC7A68E

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_U_object@@$Eval_SaveThread$Arg_Error@@FreeParseRestoreSizeTuple_Win_Y__@@@
String ID: OO|O:RegSaveKey$RegSaveKey
API String ID: 2369327498-1787471006
Opcode ID: 9c388816c9bf7c9487401fc72b1765b40fa7cf4a039a0502be5ab57510872aa8
Instruction ID: 3c44fb2b78d6d4bbe09c126cda6686ca3589abc0d78bd8d066769580c0ea090f
Opcode Fuzzy Hash: 9c388816c9bf7c9487401fc72b1765b40fa7cf4a039a0502be5ab57510872aa8
Instruction Fuzzy Hash: 7B31C3A5618A82B2E7109F35E84456A73A1FBC4F84F549035EA4E87F34DF7CD445CB44

Function 00007FFB0BC76450 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0BC7647C
_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC76494

Strings

GetNativeSystemInfo, xrefs: 00007FFB0BC7646B
iiNNNiii(HH), xrefs: 00007FFB0BC76540
%s is not available on this platform, xrefs: 00007FFB0BC76472
:GetNativeSystemInfo, xrefs: 00007FFB0BC7648A

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_Err_FormatParseSizeTuple_
String ID: %s is not available on this platform$:GetNativeSystemInfo$GetNativeSystemInfo$iiNNNiii(HH)
API String ID: 365124298-387961642
Opcode ID: bda6ffce9ef44a72078c06688fa298cf96e1ecd8f552837dad4f385705447f97
Instruction ID: 336e01f3c713ba62c72f3ecf44a0f0ea6de176e242170107eedd0860c6ac7a39
Opcode Fuzzy Hash: bda6ffce9ef44a72078c06688fa298cf96e1ecd8f552837dad4f385705447f97
Instruction Fuzzy Hash: 8A31AAB5A08B82A6D7709B25F44476AB3A0F7C5B40F508135DA8E83F69DF3CD055CB44

Function 00007FFB0BC759F0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 53threadlibraryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC75A15
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC75A2D
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC75A4B
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC75A5F
LoadLibraryExW.KERNEL32 ref: 00007FFB0BC75A77
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC75A83
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC75A8E
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC75AA7
?PyWinLong_FromHANDLE@@YAPEAU_object@@PEAX@Z.PYWINTYPES311 ref: 00007FFB0BC75ABA

Strings

LoadLibraryEx, xrefs: 00007FFB0BC75AA0
OOl:LoadLibraryEx, xrefs: 00007FFB0BC75A0E

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: U_object@@$Object_$Eval_Thread$Arg_Error@@FreeFromLibraryLoadLong_ParseRestoreSaveSizeTuple_Win_
String ID: LoadLibraryEx$OOl:LoadLibraryEx
API String ID: 1964817607-510471668
Opcode ID: 8f3a14e5dabc46ebd82003fb82c666ee820c57f66c9d14f4ae0d90b10666d946
Instruction ID: e2c0a7140b2095cbe74305e4a311f50a523ad317818857fe46a13fe6dfb34215
Opcode Fuzzy Hash: 8f3a14e5dabc46ebd82003fb82c666ee820c57f66c9d14f4ae0d90b10666d946
Instruction Fuzzy Hash: C721EE65B19A82B2EB119B65E85497A73A1FBC4F90F449032EA4F83F38DF2CD405CB00

Function 00007FFB0BC74C40 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 50threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC74C68
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC74C87
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC74C9F
GetDiskFreeSpaceExW.KERNEL32 ref: 00007FFB0BC74CBC
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC74CC7
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC74CD2
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC74CEF
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC74D10

Strings

LLL, xrefs: 00007FFB0BC74CFF
|O:GetDiskFreeSpaceEx, xrefs: 00007FFB0BC74C58
GetDiskSpaceFreeEx, xrefs: 00007FFB0BC74CE8

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_FreeObject_SizeThreadU_object@@$Arg_BuildDiskError@@ParseRestoreSaveSpaceTuple_Value_Win_
String ID: GetDiskSpaceFreeEx$LLL$|O:GetDiskFreeSpaceEx
API String ID: 4254885565-1562949391
Opcode ID: a092d17af4e66b2c48fc053f7876aa997e9c81424e79cad333607d1375d42cad
Instruction ID: 0cc69d382832cb024ad1f5e3802b8b679ff4e2e7ee02773f0b364ab6621957d8
Opcode Fuzzy Hash: a092d17af4e66b2c48fc053f7876aa997e9c81424e79cad333607d1375d42cad
Instruction Fuzzy Hash: 0D21C4B5618B86B2D7209F61F84496967A1FBC4B94F449032E94E87F38DF3CD505C744

Function 00007FFB0BC7E260 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 42COMMON

Download Yara Rule

APIs

GlobalMemoryStatus.KERNEL32 ref: 00007FFB0BC7E281
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7E348

Strings

MemoryLoad, xrefs: 00007FFB0BC7E28F
AvailVirtual, xrefs: 00007FFB0BC7E2B4
AvailPageFile, xrefs: 00007FFB0BC7E2E6
TotalPageFile, xrefs: 00007FFB0BC7E2FF
AvailPhys, xrefs: 00007FFB0BC7E318
TotalPhys, xrefs: 00007FFB0BC7E331
{s:k,s:k,s:K,s:K,s:K,s:K,s:K,s:K}, xrefs: 00007FFB0BC7E2AD
Length, xrefs: 00007FFB0BC7E29E
TotalVirtual, xrefs: 00007FFB0BC7E2CD

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: BuildGlobalMemorySizeStatusValue_
String ID: AvailPageFile$AvailPhys$AvailVirtual$Length$MemoryLoad$TotalPageFile$TotalPhys$TotalVirtual${s:k,s:k,s:K,s:K,s:K,s:K,s:K,s:K}
API String ID: 888549742-3964252616
Opcode ID: 3c1bd2d8b4bb1deceba7c872a843faedd06f87aaa71b20c1155f58cd741d9e31
Instruction ID: cac7dac33510e7321772f8fc03faf94e551bf248c11bcb69b44382eb64ee67d2
Opcode Fuzzy Hash: 3c1bd2d8b4bb1deceba7c872a843faedd06f87aaa71b20c1155f58cd741d9e31
Instruction Fuzzy Hash: FA219576609FC5A5EA708B24F88079AB7A4FB89754F504136DA8D83B38EF3CD158CB40

Function 00007FFB0A8B9E90 Relevance: 18.1, APIs: 12, Instructions: 95COMMON

Download Yara Rule

APIs

PyImport_GetModule.PYTHON311(?,?,00000000,00000001,00007FFB0C20F3D0,00007FFB0A8B7895), ref: 00007FFB0A8B9EA5
PyErr_Clear.PYTHON311(?,?,00000000,00000001,00007FFB0C20F3D0,00007FFB0A8B7895), ref: 00007FFB0A8B9F7B

Part of subcall function 00007FFB0A8B86A0: _PyThreadState_UncheckedGet.PYTHON311(?,?,?,?,00007FFB0A8BB4C5,?,?,?,?,00000C70,?,00007FFB0A8BB673), ref: 00007FFB0A8B86F2
Part of subcall function 00007FFB0A8B86A0: _Py_Dealloc.PYTHON311(?,?,?,?,00007FFB0A8BB4C5,?,?,?,?,00000C70,?,00007FFB0A8BB673), ref: 00007FFB0A8B8767
Part of subcall function 00007FFB0A8B86A0: _Py_Dealloc.PYTHON311(?,?,?,?,00007FFB0A8BB4C5,?,?,?,?,00000C70,?,00007FFB0A8BB673), ref: 00007FFB0A8B877B
Part of subcall function 00007FFB0A8B86A0: _Py_Dealloc.PYTHON311(?,?,?,?,00007FFB0A8BB4C5,?,?,?,?,00000C70,?,00007FFB0A8BB673), ref: 00007FFB0A8B8794

PyObject_IsTrue.PYTHON311(?,?,00000000,00000001,00007FFB0C20F3D0,00007FFB0A8B7895), ref: 00007FFB0A8B9F26
_Py_Dealloc.PYTHON311(?,?,00000000,00000001,00007FFB0C20F3D0,00007FFB0A8B7895), ref: 00007FFB0A8B9F39
_Py_Dealloc.PYTHON311(?,?,00000000,00000001,00007FFB0C20F3D0,00007FFB0A8B7895), ref: 00007FFB0A8B9F50
_Py_Dealloc.PYTHON311(?,?,00000000,00000001,00007FFB0C20F3D0,00007FFB0A8B7895), ref: 00007FFB0A8B9F64
_Py_Dealloc.PYTHON311(?,?,00000000,00000001,00007FFB0C20F3D0,00007FFB0A8B7895), ref: 00007FFB0A8B9F73
PyErr_Occurred.PYTHON311(?,?,00000000,00000001,00007FFB0C20F3D0,00007FFB0A8B7895), ref: 00007FFB0A8B9F86
PyErr_Clear.PYTHON311(?,?,00000000,00000001,00007FFB0C20F3D0,00007FFB0A8B7895), ref: 00007FFB0A8B9F91
PyDict_New.PYTHON311(?,?,00000000,00000001,00007FFB0C20F3D0,00007FFB0A8B7895), ref: 00007FFB0A8B9F97
PyImport_ImportModuleLevelObject.PYTHON311(?,?,00000000,00000001,00007FFB0C20F3D0,00007FFB0A8B7895), ref: 00007FFB0A8B9FBC
_Py_Dealloc.PYTHON311(?,?,00000000,00000001,00007FFB0C20F3D0,00007FFB0A8B7895), ref: 00007FFB0A8B9FCE

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dealloc$Err_$ClearImport_Module$Dict_ImportLevelObjectObject_OccurredState_ThreadTrueUnchecked
String ID:
API String ID: 4036393002-0
Opcode ID: 87b4ed83945429d9c55feb7ef2646f0e1de982f2fadf7b919b00e95fb8ed2535
Instruction ID: d756c877d096516952501cf82ef76d778aac7f6668ec1bd497067d46db0a3260
Opcode Fuzzy Hash: 87b4ed83945429d9c55feb7ef2646f0e1de982f2fadf7b919b00e95fb8ed2535
Instruction Fuzzy Hash: F5310EA2A29B4295EA555F36ED44D797398AF49FE0F0848B4DA0D067E4EF3CF4458300

Function 00007FFB0A8B6900 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

PyTuple_Pack.PYTHON311 ref: 00007FFB0A8B691A
PyTuple_Pack.PYTHON311 ref: 00007FFB0A8B6940
PyTuple_Pack.PYTHON311 ref: 00007FFB0A8B6977
PyTuple_Pack.PYTHON311 ref: 00007FFB0A8B69A7
PyTuple_Pack.PYTHON311 ref: 00007FFB0A8B69D0

Part of subcall function 00007FFB0A8B1030: PyBytes_FromStringAndSize.PYTHON311 ref: 00007FFB0A8B1050
Part of subcall function 00007FFB0A8B1030: PyCode_NewWithPosOnlyArgs.PYTHON311 ref: 00007FFB0A8B110C
Part of subcall function 00007FFB0A8B1030: _Py_Dealloc.PYTHON311 ref: 00007FFB0A8B111E

PyTuple_Pack.PYTHON311 ref: 00007FFB0A8B6A7F
PyTuple_Pack.PYTHON311 ref: 00007FFB0A8B6B21
PyTuple_Pack.PYTHON311 ref: 00007FFB0A8B6BC7
PyTuple_Pack.PYTHON311 ref: 00007FFB0A8B6D74

Strings

E, xrefs: 00007FFB0A8B6BF8

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: PackTuple_$ArgsBytes_Code_DeallocFromOnlySizeStringWith
String ID: E
API String ID: 477980097-3568589458
Opcode ID: dd4a8755e0e3c64c69f31db8532292f04d22531bc8b2be21fd2567575c198517
Instruction ID: 2289ccb73e1e966af81ed557c165084a6a18d8fd33fb993e167cbb823fa79404
Opcode Fuzzy Hash: dd4a8755e0e3c64c69f31db8532292f04d22531bc8b2be21fd2567575c198517
Instruction Fuzzy Hash: 81E1E7B7519F8182E644DB15F494BAA73E8FB48BD4F100539EA8D437A5EF39D4A0CB00

Function 00007FFB0A8BB9C0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 94COMMON

Download Yara Rule

APIs

PyErr_WarnFormat.PYTHON311 ref: 00007FFB0A8BBA48
PyErr_Format.PYTHON311 ref: 00007FFB0A8BBA78
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BBA87
PyErr_Occurred.PYTHON311 ref: 00007FFB0A8BBA8F
PyErr_SetString.PYTHON311 ref: 00007FFB0A8BBAAB
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BBADC

Strings

an integer is required, xrefs: 00007FFB0A8BBAA1
int, xrefs: 00007FFB0A8BBA59, 00007FFB0A8BBA67
__%.4s__ returned non-%.4s (type %.200s), xrefs: 00007FFB0A8BBA6E
__int__ returned non-int (type %.200s). The ability to return an instance of a strict subclass of int is deprecated, and may be removed in a future version of Python., xrefs: 00007FFB0A8BBA32

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Err_$DeallocFormat$OccurredStringWarn
String ID: __%.4s__ returned non-%.4s (type %.200s)$__int__ returned non-int (type %.200s). The ability to return an instance of a strict subclass of int is deprecated, and may be removed in a future version of Python.$an integer is required$int
API String ID: 3853760466-2157938307
Opcode ID: 3a0968aa6d4404ff7e4e3b6680f5e43abe007e1f62ad65af8b69bce873ef40eb
Instruction ID: 8186881d61298ad8b9a41c3dd00f8e2f74d27a7e0a46d98b71e3feebe936cc35
Opcode Fuzzy Hash: 3a0968aa6d4404ff7e4e3b6680f5e43abe007e1f62ad65af8b69bce873ef40eb
Instruction Fuzzy Hash: A7414CA3F29B0285EE548F35D484E7863A9EF84B94F5858B1CD5D477E4DE2DE885C300

Function 00007FFB0A8BACE0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FFB0A8BAD3E
PyDict_Size.PYTHON311 ref: 00007FFB0A8BAD53
PyDict_Size.PYTHON311 ref: 00007FFB0A8BAD82
PyDict_Size.PYTHON311 ref: 00007FFB0A8BADD1
PyErr_Format.PYTHON311 ref: 00007FFB0A8BADF4

Strings

%.200s() takes no arguments (%zd given), xrefs: 00007FFB0A8BAD9A
Bad call flags for CyFunction, xrefs: 00007FFB0A8BAD34
%.200s() takes exactly one argument (%zd given), xrefs: 00007FFB0A8BAD71
%.200s() takes no keyword arguments, xrefs: 00007FFB0A8BADE0

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dict_Size$Err_$FormatString
String ID: %.200s() takes exactly one argument (%zd given)$%.200s() takes no arguments (%zd given)$%.200s() takes no keyword arguments$Bad call flags for CyFunction
API String ID: 2291499626-3900298366
Opcode ID: e01f14f6a9c211953f9e6814be6201bd817e7d925300677701ae2c33bcb9559a
Instruction ID: 08adbdf46bc26a0889a424ff7a5b9ae42b8815d90a868b8ef565cfd3d40e97ce
Opcode Fuzzy Hash: e01f14f6a9c211953f9e6814be6201bd817e7d925300677701ae2c33bcb9559a
Instruction Fuzzy Hash: 833162A3A2CB4296EA6D9B31D440D79A768AF59BC4B584CB2DD0E477E8DF3CE5408340

Function 00007FFB0BC71DC0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0BC71DFB
PyArg_ParseTupleAndKeywords.PYTHON311 ref: 00007FFB0BC71E5D
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC71E71
?PyWinObject_AsRECT@@YAHPEAU_object@@PEAUtagRECT@@@Z.PYWINTYPES311 ref: 00007FFB0BC71E8E
PyList_New.PYTHON311 ref: 00007FFB0BC71E9F
EnumDisplayMonitors.USER32 ref: 00007FFB0BC71EBF
_Py_Dealloc.PYTHON311 ref: 00007FFB0BC71ED2

Strings

EnumDisplayMonitors, xrefs: 00007FFB0BC71DEA
|OO:EnumDisplayMonitors, xrefs: 00007FFB0BC71E26
%s is not available on this platform, xrefs: 00007FFB0BC71DF1

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_U_object@@$Arg_DeallocDisplayEnumErr_FormatKeywordsList_MonitorsParseT@@@TupleUtag
String ID: %s is not available on this platform$EnumDisplayMonitors$|OO:EnumDisplayMonitors
API String ID: 2313351520-1327370137
Opcode ID: 27edd904473009b5dad0625ef4fd12193a578ccda0df4fe7e03bd357f9076517
Instruction ID: 13e528eaec4bfcba1f58fb8cbdbaa3fbd1156915a9eb286783b7367d1445e5f7
Opcode Fuzzy Hash: 27edd904473009b5dad0625ef4fd12193a578ccda0df4fe7e03bd357f9076517
Instruction Fuzzy Hash: 9531FFA5A18A46B1EB608B31E85597A63A0FB89B94F449035E98FD7F74DF3CE005C700

Function 00007FFB0BC78B90 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 75registryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC78BC2
?PyWinObject_AsHKEY@@YAHPEAU_object@@PEAPEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC78BD8
RegQueryInfoKeyW.ADVAPI32 ref: 00007FFB0BC78C20
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC78C33
RegEnumKeyW.ADVAPI32 ref: 00007FFB0BC78C7D
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC78C90

Strings

RegEnumKey, xrefs: 00007FFB0BC78C89
RegQueryInfoKey, xrefs: 00007FFB0BC78C2C
Oi:RegEnumKey, xrefs: 00007FFB0BC78BB7

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: U_object@@$Error@@Win_$Arg_EnumInfoObject_ParseQuerySizeTuple_Y__@@@
String ID: Oi:RegEnumKey$RegEnumKey$RegQueryInfoKey
API String ID: 1977270578-336487990
Opcode ID: 67bdc3ef9992d3294032c2cc88718e9427d1f05cd01e7cb7397e04805d5b9c88
Instruction ID: 0f87457b7634444ad0718709a2b66795a9d083f9fce006fa74cc487b36e5a5f7
Opcode Fuzzy Hash: 67bdc3ef9992d3294032c2cc88718e9427d1f05cd01e7cb7397e04805d5b9c88
Instruction Fuzzy Hash: 0C3160B2618A82B6E7608F71EC449A933A4FB84794F04C235E65FC6EA4DF3CD545C340

Function 00007FFB0BC71A60 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

PyArg_ParseTupleAndKeywords.PYTHON311 ref: 00007FFB0BC71ABD
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC71ADC
memset.VCRUNTIME140 ref: 00007FFB0BC71B01
EnumDisplaySettingsW.USER32 ref: 00007FFB0BC71B1C
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC71B37
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC71B42
?PyWinObject_FromDEVMODE@@YAPEAU_object@@PEAU_devicemodeW@@@Z.PYWINTYPES311 ref: 00007FFB0BC71B51
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC71B5F

Strings

EnumDisplaySettings, xrefs: 00007FFB0BC71B30
|Ok:EnumDisplaySettings, xrefs: 00007FFB0BC71A9E

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_$U_object@@$Free$Arg_DisplayEnumError@@FromKeywordsParseSettingsTupleU_devicemodeW@@@Win_memset
String ID: EnumDisplaySettings$|Ok:EnumDisplaySettings
API String ID: 2568891582-2957657313
Opcode ID: 3a80df069f2f1929ba096fe6828fa334d46f0cf38392a8e9e3a34af83af5939f
Instruction ID: 9907ffa4d463321f9084c847fb97590c198c75f8adac74fcf58f2411418c8706
Opcode Fuzzy Hash: 3a80df069f2f1929ba096fe6828fa334d46f0cf38392a8e9e3a34af83af5939f
Instruction Fuzzy Hash: 683101B5619A82B1EB60CB21F854AAA63A0FBC8F40F449035EA4F87B74DF3CD405C744

Function 00007FFB0BC7A490 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0BC7A4BC
_PyArg_ParseTupleAndKeywords_SizeT.PYTHON311 ref: 00007FFB0BC7A50F

Strings

OO|k:RegRestoreKey, xrefs: 00007FFB0BC7A4EC
RegRestoreKey, xrefs: 00007FFB0BC7A4AB, 00007FFB0BC7A571
%s is not available on this platform, xrefs: 00007FFB0BC7A4B2

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_Err_FormatKeywords_ParseSizeTuple
String ID: %s is not available on this platform$OO|k:RegRestoreKey$RegRestoreKey
API String ID: 318405110-1709588008
Opcode ID: 1583b6c20577746689b5d05e5cc777c4dd49efc07afed949b985c096b14a28f6
Instruction ID: 4d7775c0476d1c9ffea1063ddc9ceff3394fc8e16a24331a88effdb43bd3f6a9
Opcode Fuzzy Hash: 1583b6c20577746689b5d05e5cc777c4dd49efc07afed949b985c096b14a28f6
Instruction Fuzzy Hash: FF31E5A1608A82B1DB608F65E884A6A7370FBC4B44F949136DA4FC7E74DF7CD505CB04

Function 00007FFB0B254600 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 62COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FFB0B254633
_PyArg_BadArgument.PYTHON311 ref: 00007FFB0B254668
_PyUnicode_Ready.PYTHON311 ref: 00007FFB0B254678
_PyUnicode_ToDigit.PYTHON311 ref: 00007FFB0B25469D
PyErr_SetString.PYTHON311 ref: 00007FFB0B2546BD

Strings

argument 1, xrefs: 00007FFB0B254661
not a digit, xrefs: 00007FFB0B2546B3
a unicode character, xrefs: 00007FFB0B254653
digit, xrefs: 00007FFB0B25462C, 00007FFB0B25465A

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Arg_Unicode_$ArgumentCheckDigitErr_PositionalReadyString
String ID: a unicode character$argument 1$digit$not a digit
API String ID: 3305933226-4278345224
Opcode ID: f3312c4d2492d42c6bf8c5b24e15dccd6aa38fe551f57dd252bb694573ee7750
Instruction ID: 7f6c8c91f6be10772df1756e03dd12f1846057ad5d66a321657e9c180bf0359f
Opcode Fuzzy Hash: f3312c4d2492d42c6bf8c5b24e15dccd6aa38fe551f57dd252bb694573ee7750
Instruction Fuzzy Hash: BF214AA1A08A4391EA14BB31D854E796BA0FF58B88F54C431CA2FC6778DF3DE585C300

Function 00007FFB0BC789A0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0BC789CC
_PyArg_ParseTupleAndKeywords_SizeT.PYTHON311 ref: 00007FFB0BC78A0B

Strings

RegDeleteTree, xrefs: 00007FFB0BC789BB, 00007FFB0BC78A66
OO:RegDeleteTree, xrefs: 00007FFB0BC789F9
%s is not available on this platform, xrefs: 00007FFB0BC789C2

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_Err_FormatKeywords_ParseSizeTuple
String ID: %s is not available on this platform$OO:RegDeleteTree$RegDeleteTree
API String ID: 318405110-730235787
Opcode ID: 4bd3379fd1e0a1b970db37bf781a166aeba98e3473aee6968c62b694db06cdec
Instruction ID: 220340cd4a49d5d246f3fa268e283e1290c92a65aaeb54d25d7dbfde44fa6de8
Opcode Fuzzy Hash: 4bd3379fd1e0a1b970db37bf781a166aeba98e3473aee6968c62b694db06cdec
Instruction Fuzzy Hash: 99212DA1B18A82B1EA609F72E84496673A0FBC4B94F949132DA4FC3E34DF3CD409C704

Function 00007FFB0BC75C40 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC75C98
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC75CA3
GetDllDirectoryW.KERNEL32 ref: 00007FFB0BC75CB8
?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W_J@Z.PYWINTYPES311 ref: 00007FFB0BC75CCD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC75CD9

Strings

%s is not available on this platform, xrefs: 00007FFB0BC75C5C
GetDllDirectory, xrefs: 00007FFB0BC75C55, 00007FFB0BC75CE3

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: free$DirectoryFromObject_U_object@@malloc
String ID: %s is not available on this platform$GetDllDirectory
API String ID: 1059184737-2632077198
Opcode ID: b3b2ca3e8f94f44d8ab362b75e5836cc66f0503bdef4736929a9209fe6148d55
Instruction ID: 8e7cff0709edc25fe11cc00ab0dc46beb0eeb62a51299d64655959f4eb8c5f92
Opcode Fuzzy Hash: b3b2ca3e8f94f44d8ab362b75e5836cc66f0503bdef4736929a9209fe6148d55
Instruction Fuzzy Hash: 8F2132A5B08A82A2EA644B25E84493963A1FFD8F40F199031E94F83B74CF3DE4458344

Function 00007FFB0BC73680 Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 49threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC736A5
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC736C3
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC736D7
FindFirstChangeNotificationW.KERNEL32 ref: 00007FFB0BC736EE
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC736FA
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC73705
?PyWinLong_FromHANDLE@@YAPEAU_object@@PEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7371D
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC73736

Strings

Oil:FindFirstChangeNotification, xrefs: 00007FFB0BC7369E
FindFirstChangeNotification, xrefs: 00007FFB0BC7372F

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: U_object@@$Eval_Object_Thread$Arg_ChangeError@@FindFirstFreeFromLong_NotificationParseRestoreSaveSizeTuple_Win_
String ID: FindFirstChangeNotification$Oil:FindFirstChangeNotification
API String ID: 2468077235-3656035498
Opcode ID: 179363945a85ee291dde5f32e13935877697cd3d2b4868d9da6be15a8b545b0e
Instruction ID: 6a46e2345e17d7debefaf8825e6a08b8fa7400d6d7f4766831eca0e74645256a
Opcode Fuzzy Hash: 179363945a85ee291dde5f32e13935877697cd3d2b4868d9da6be15a8b545b0e
Instruction Fuzzy Hash: CB1112B5618B82B2DA109B21F9408697361FBC5FA0F449131EA5F83F64DF3CE415CB04

Function 00007FFB0BC799C0 Relevance: 17.5, APIs: 7, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0BC799E9
_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC79A0B

Strings

|k:RegOpenCurrentUser, xrefs: 00007FFB0BC79A01
RegOpenCurrentUser, xrefs: 00007FFB0BC799D8, 00007FFB0BC79A54
%s is not available on this platform, xrefs: 00007FFB0BC799DF

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_Err_FormatParseSizeTuple_
String ID: %s is not available on this platform$RegOpenCurrentUser$|k:RegOpenCurrentUser
API String ID: 365124298-2689215078
Opcode ID: 439c260f3904b59e407a4bc33259ee56eaa5a4aa50b1156e934090c1128bc24d
Instruction ID: 6367fae22440e99cb0c059dcddb41e5708ba5b955167a1e622a9ed7e0e9285fd
Opcode Fuzzy Hash: 439c260f3904b59e407a4bc33259ee56eaa5a4aa50b1156e934090c1128bc24d
Instruction Fuzzy Hash: 4C1124A5A19B82F2EA609B25F844A6963B1FBC4F54F949131D94F83B38DF3CD545C700

Function 00007FFB0BC7ADA0 Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 43threadregistrywindowCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7ADB3
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7ADD1
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7ADE5
RegisterWindowMessageW.USER32 ref: 00007FFB0BC7ADF3
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7ADFE
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7AE09
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7AE21
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7AE3A

Strings

RegisterWindowMessage, xrefs: 00007FFB0BC7AE1A
O:RegisterWindowMessage, xrefs: 00007FFB0BC7ADAC

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Object_SizeThreadU_object@@$Arg_BuildError@@FreeMessageParseRegisterRestoreSaveTuple_Value_Win_Window
String ID: O:RegisterWindowMessage$RegisterWindowMessage
API String ID: 1574757139-3515438174
Opcode ID: 0b95059a3362fd0f6569096c52b18d1cfb989cbfd3b0807b0dbcafe49e399a50
Instruction ID: 6851014ae962b7ffc8092b3f9ee55a0f06d63b858e54fe0f30c18e665a00cb9b
Opcode Fuzzy Hash: 0b95059a3362fd0f6569096c52b18d1cfb989cbfd3b0807b0dbcafe49e399a50
Instruction Fuzzy Hash: 26111FA5A18A82B2DB209B35F85496963A1FBC8B81F949031EA4F87F34DF3CD559C704

Function 00007FFB0BC74620 Relevance: 17.5, APIs: 7, Strings: 3, Instructions: 42threadwindowCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC74634
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7463E
GetFocus.USER32 ref: 00007FFB0BC74647
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC74653
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC74671
PyErr_SetObject.PYTHON311 ref: 00007FFB0BC7468C
_Py_Dealloc.PYTHON311 ref: 00007FFB0BC7469B

Strings

:GetFocus, xrefs: 00007FFB0BC7462D
No window has the focus, xrefs: 00007FFB0BC7465E
(izs), xrefs: 00007FFB0BC7466A

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_SizeThread$Arg_BuildDeallocErr_FocusObjectParseRestoreSaveTuple_Value_
String ID: (izs)$:GetFocus$No window has the focus
API String ID: 1571587379-1439662695
Opcode ID: 0b3344bdf56b2c0d47ed4d2fbb49b42e1c2a608aeaa8329fccc7aafc75ed133b
Instruction ID: 0c1a9963f544d5fe7cb33631e1e3ecf48581f63bd7a3c8e29a446712fd92ae2e
Opcode Fuzzy Hash: 0b3344bdf56b2c0d47ed4d2fbb49b42e1c2a608aeaa8329fccc7aafc75ed133b
Instruction Fuzzy Hash: F1112AA1B59943B1EA298B75FD4497463A0FF88F81B48E031D91F86F34EE2CE4448304

Function 00007FFB0B252730 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFB0B252758
__scrt_initialize_crt.LIBCMT ref: 00007FFB0B25279D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFB0B2527AA
_RTC_Initialize.LIBCMT ref: 00007FFB0B2527D8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFB0B2527FE
__scrt_release_startup_lock.LIBCMT ref: 00007FFB0B252829

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 5ae4ae1fad975d5487a8dd9099fd26104a61e4c8513e68d9fc499fd676c40ec1
Instruction ID: bbf86afb2ffbdb45d36fe61bd37112d7d075516c17da78bd7a0680a43cf886f3
Opcode Fuzzy Hash: 5ae4ae1fad975d5487a8dd9099fd26104a61e4c8513e68d9fc499fd676c40ec1
Instruction Fuzzy Hash: D48188A1E186478AFA50BB76D841EB96A90AF55780F64C439D90FC37F6DE3CE8468700

Function 00007FFB0A6B1030 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFB0A6B1058
__scrt_initialize_crt.LIBCMT ref: 00007FFB0A6B109D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFB0A6B10AA
_RTC_Initialize.LIBCMT ref: 00007FFB0A6B10D8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFB0A6B10FE
__scrt_release_startup_lock.LIBCMT ref: 00007FFB0A6B1129

Memory Dump Source

Source File: 00000008.00000002.2558208231.00007FFB0A6B1000.00000020.00000001.01000000.0000004A.sdmp, Offset: 00007FFB0A6B0000, based on PE: true

Associated: 00000008.00000002.2558120358.00007FFB0A6B0000.00000002.00000001.01000000.0000004A.sdmpDownload File
Associated: 00000008.00000002.2558308893.00007FFB0A6B3000.00000002.00000001.01000000.0000004A.sdmpDownload File
Associated: 00000008.00000002.2558375762.00007FFB0A6B4000.00000004.00000001.01000000.0000004A.sdmpDownload File
Associated: 00000008.00000002.2558453551.00007FFB0A6B5000.00000002.00000001.01000000.0000004A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a6b0000_Payload.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 13216a91d280a0ad17bb93d9638d94c9aa7988d3a2199bea0cdda77358a17c13
Instruction ID: bdd25156ddb90b05a270333183d8a07af1ad1cf9f72fc9ef333dbe7468f32fcf
Opcode Fuzzy Hash: 13216a91d280a0ad17bb93d9638d94c9aa7988d3a2199bea0cdda77358a17c13
Instruction Fuzzy Hash: 4C815EA3E2824665F6509BF5EC61A7922BCAF47F80F144AB5FA0C477D6DE3CE4C58600

Function 00007FFB0A8BB3E0 Relevance: 16.6, APIs: 11, Instructions: 117COMMON

Download Yara Rule

APIs

_PyObject_GetDictPtr.PYTHON311(?,?,?,?,00000C70,?,00007FFB0A8BB673), ref: 00007FFB0A8BB444
PyObject_Not.PYTHON311(?,?,?,?,00000C70,?,00007FFB0A8BB673), ref: 00007FFB0A8BB510
_Py_Dealloc.PYTHON311(?,?,?,?,00000C70,?,00007FFB0A8BB673), ref: 00007FFB0A8BB577
_Py_Dealloc.PYTHON311(?,?,?,?,00000C70,?,00007FFB0A8BB673), ref: 00007FFB0A8BB58B
_Py_Dealloc.PYTHON311(?,?,?,?,00000C70,?,00007FFB0A8BB673), ref: 00007FFB0A8BB5A4

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dealloc$Object_$Dict
String ID:
API String ID: 2606780450-0
Opcode ID: f82b07b4716a932b3f8f3652b7a610d4f6a177aaf2ebe3610a5bc198288305ce
Instruction ID: 97879cd29cc328b2674febe41f1ca83d3c16607ea22e7e720296f4a8e762eb89
Opcode Fuzzy Hash: f82b07b4716a932b3f8f3652b7a610d4f6a177aaf2ebe3610a5bc198288305ce
Instruction Fuzzy Hash: DB51D1B7A19B4192EA549B36E848E7973A8FB44B94F084875CE8D477E4DF3CE445D300

Function 00007FFB0BC78F80 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 71threadregistryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC78FCB
?PyWinObject_AsHKEY@@YAHPEAU_object@@PEAPEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC78FE3
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC78FFB
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC79019
RegNotifyChangeKeyValue.ADVAPI32 ref: 00007FFB0BC79043
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7904E
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC79089

Strings

OiiOi, xrefs: 00007FFB0BC78FBC
RegNotifyChangeKeyValue, xrefs: 00007FFB0BC79082

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: U_object@@$Eval_Object_Thread$Arg_ChangeError@@NotifyParseRestoreSaveSizeTuple_ValueWin_Y__@@@
String ID: OiiOi$RegNotifyChangeKeyValue
API String ID: 674370069-3658889070
Opcode ID: 31bcc1c853b63944d397c4122dfe61da36ed22ce69887a88f7d3e65aae3e0db3
Instruction ID: 05d6529f5110f9bda0824a4b4899ad60a4d40f0d566e8f478d6524a35a2f4dc9
Opcode Fuzzy Hash: 31bcc1c853b63944d397c4122dfe61da36ed22ce69887a88f7d3e65aae3e0db3
Instruction Fuzzy Hash: 31317672718A81A2D7608F21F84496D73B4FBC4B90F518136DAAE83B64DF3DD845C740

Function 00007FFB0BC77000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC77056
?PyWinObject_AsSYSTEMTIME@@YAHPEAU_object@@PEAU_SYSTEMTIME@@@Z.PYWINTYPES311 ref: 00007FFB0BC77077
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC77097
GetDateFormatW.KERNEL32 ref: 00007FFB0BC770C3
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC770D0
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC770E3
?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W_J@Z.PYWINTYPES311 ref: 00007FFB0BC770F6

Strings

iiO|O:GetDateFormat, xrefs: 00007FFB0BC7703E
GetDateFormat, xrefs: 00007FFB0BC770DC

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_U_object@@$Arg_DateE@@@Error@@FormatFreeFromParseSizeTuple_Win_
String ID: GetDateFormat$iiO|O:GetDateFormat
API String ID: 1545417333-1523432675
Opcode ID: 0af5bcd25c0947b4cd10bca3093e4e061b5eab404c7e0e5bd0b497f01e6977da
Instruction ID: 9479f4458d8341f5f50d546cad25ba574dd0218c383ccc913a2eb391cf346d29
Opcode Fuzzy Hash: 0af5bcd25c0947b4cd10bca3093e4e061b5eab404c7e0e5bd0b497f01e6977da
Instruction Fuzzy Hash: 1A3102B261DA86B2E7608F21E444A6A73A4FBC4B44F509136E68F83A74DF7CD549C704

Function 00007FFB0B251000 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 61COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FFB0B25359B
_PyArg_BadArgument.PYTHON311 ref: 00007FFB0B2535C2
_PyUnicode_Ready.PYTHON311 ref: 00007FFB0B2535CF
_PyArg_BadArgument.PYTHON311 ref: 00007FFB0B2535F7
_PyUnicode_Ready.PYTHON311 ref: 00007FFB0B253604

Part of subcall function 00007FFB0B251090: PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FFB0B2510BD
Part of subcall function 00007FFB0B251090: PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FFB0B2510D5
Part of subcall function 00007FFB0B251090: PyType_IsSubtype.PYTHON311 ref: 00007FFB0B2510FD

Strings

argument 1, xrefs: 00007FFB0B2535BB
str, xrefs: 00007FFB0B2535AD, 00007FFB0B2535E2
normalize, xrefs: 00007FFB0B25358E, 00007FFB0B2535B4, 00007FFB0B2535E9
argument 2, xrefs: 00007FFB0B2535F0

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Unicode_$Arg_$ArgumentCompareReadyStringWith$CheckPositionalSubtypeType_
String ID: argument 1$argument 2$normalize$str
API String ID: 3621440800-1320425463
Opcode ID: 94348148c340fa5468beab9ef1746397c69e42e894d14843631ab3fa4ea44381
Instruction ID: 1bb9144197515dbdae141f0b105e200261de6ab6d481890e0adaf03bacf313d2
Opcode Fuzzy Hash: 94348148c340fa5468beab9ef1746397c69e42e894d14843631ab3fa4ea44381
Instruction Fuzzy Hash: F621B1A0A18A8781E710AB35E445E782B50AF18BD8F64D131D91FC72F4CF3CE446C700

Function 00007FFB0B2547DC Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 58COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FFB0B254808
_PyArg_BadArgument.PYTHON311 ref: 00007FFB0B25483D
_PyUnicode_Ready.PYTHON311 ref: 00007FFB0B25484D
_PyArg_BadArgument.PYTHON311 ref: 00007FFB0B25488C
_PyUnicode_Ready.PYTHON311 ref: 00007FFB0B25489C

Strings

argument 1, xrefs: 00007FFB0B254836
str, xrefs: 00007FFB0B254828, 00007FFB0B254877
is_normalized, xrefs: 00007FFB0B2547FB, 00007FFB0B25482F, 00007FFB0B25487E
argument 2, xrefs: 00007FFB0B254885

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Arg_$ArgumentReadyUnicode_$CheckPositional
String ID: argument 1$argument 2$is_normalized$str
API String ID: 396090033-184702317
Opcode ID: c961abb42e83fbff4e8e9473619491438f798cfd5e47330d0c83c04a8f602896
Instruction ID: 68754f3ecd5c34cc67d72c0819e367b52b082f0300cce05c77344d21481f6ff2
Opcode Fuzzy Hash: c961abb42e83fbff4e8e9473619491438f798cfd5e47330d0c83c04a8f602896
Instruction Fuzzy Hash: 652162A1A08A8795E750AB35E848EB46B50EF54B98F54C531D96FC77B8CF3CD486C700

Function 00007FFB0BC7AB60 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 51threadregistryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7AB85
?PyWinObject_AsHKEY@@YAHPEAU_object@@PEAPEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC7AB9D
?PyWinObject_AsSECURITY_DESCRIPTOR@@YAHPEAU_object@@PEAPEAXH@Z.PYWINTYPES311 ref: 00007FFB0BC7ABB8
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7ABCC
RegSetKeySecurity.ADVAPI32 ref: 00007FFB0BC7ABE3
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7ABEE
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7AC06

Strings

RegSetKeySecurity, xrefs: 00007FFB0BC7ABFF
OlO:RegSetKeySecurity, xrefs: 00007FFB0BC7AB7E

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: U_object@@$Eval_Object_Thread$Arg_Error@@ParseRestoreSaveSecuritySizeTuple_Win_Y__@@@
String ID: OlO:RegSetKeySecurity$RegSetKeySecurity
API String ID: 3383195537-3249879953
Opcode ID: e63abcd8f79aa1f4d1338530a992fe1a08016017ff5ba1f30fda43893682b671
Instruction ID: f1fe675d88ad273f4ea6d64f549b8de076279e73eb26981ada7bb70bfd9b4264
Opcode Fuzzy Hash: e63abcd8f79aa1f4d1338530a992fe1a08016017ff5ba1f30fda43893682b671
Instruction Fuzzy Hash: D121B1A5618A86B2DA109B65E84496A73A1FBC4B80F849132EA4F83B34DF7CD545CB04

Function 00007FFB0BC79E10 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 50registryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC79E26
?PyWinObject_AsHKEY@@YAHPEAU_object@@PEAPEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC79E3E
RegQueryInfoKeyW.ADVAPI32 ref: 00007FFB0BC79E98
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC79EAB
?PyWinObject_FromULARGE_INTEGER@@YAPEAU_object@@AEBT_ULARGE_INTEGER@@@Z.PYWINTYPES311 ref: 00007FFB0BC79EC8
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC79EE7

Strings

RegQueryInfoKey, xrefs: 00007FFB0BC79EA4
O:RegQueryInfoKey, xrefs: 00007FFB0BC79E1F
iiN, xrefs: 00007FFB0BC79ED6

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: U_object@@$Object_Size$Arg_BuildError@@FromInfoParseQueryR@@@Tuple_Value_Win_Y__@@@
String ID: O:RegQueryInfoKey$RegQueryInfoKey$iiN
API String ID: 527425343-3767673079
Opcode ID: fffb005ad876cbcb4f92a841316295aaeb78407a8507a24c23dcc59ddbb5aff6
Instruction ID: 4aad96244fb680615dd6d7546af4ebd2119bb7e12c06c54923119ac9ec5ae52c
Opcode Fuzzy Hash: fffb005ad876cbcb4f92a841316295aaeb78407a8507a24c23dcc59ddbb5aff6
Instruction Fuzzy Hash: D0211276A08B82A2EB608B65F44076A77A5FBC5784F509136E68E83F74DF3CD159CB00

Function 00007FFB0BC78440 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 47registryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7846D
?PyWinObject_AsHKEY@@YAHPEAU_object@@PEAPEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC78485
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC784A0
RegCreateKeyW.ADVAPI32 ref: 00007FFB0BC784BE
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC784CB
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC784DE
?PyWinObject_FromHKEY@@YAPEAU_object@@PEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC784F3

Strings

OO:RegCreateKey, xrefs: 00007FFB0BC78458
RegCreateKey, xrefs: 00007FFB0BC784D7

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_U_object@@$Y__@@@$Arg_CreateError@@FreeFromParseSizeTuple_Win_
String ID: OO:RegCreateKey$RegCreateKey
API String ID: 4149201907-1835961249
Opcode ID: c5b2abc81a184d10b7be4d7a0f761f0d091ff3e95c5891f177439ae9d2e679f2
Instruction ID: 3599272d656e2ed3b90d7992a9f17c15a86c5784f53e793787f23c24ddd1cab0
Opcode Fuzzy Hash: c5b2abc81a184d10b7be4d7a0f761f0d091ff3e95c5891f177439ae9d2e679f2
Instruction Fuzzy Hash: 8611B2B5A18B82B2DB609F61E84466A6361FBC4B84F849035EA4E83E74DF7CD505C744

Function 00007FFB0BC78250 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 45registryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC78271
?PyWinObject_AsHKEY@@YAHPEAU_object@@PEAPEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC78289
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC782A4
RegConnectRegistryW.ADVAPI32 ref: 00007FFB0BC782C2
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC782CF
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC782E2
?PyWinObject_FromHKEY@@YAPEAU_object@@PEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC782F7

Strings

OO:RegConnectRegistry, xrefs: 00007FFB0BC78260
RegConnectRegistry, xrefs: 00007FFB0BC782DB

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_U_object@@$Y__@@@$Arg_ConnectError@@FreeFromParseRegistrySizeTuple_Win_
String ID: OO:RegConnectRegistry$RegConnectRegistry
API String ID: 3946530329-4053257052
Opcode ID: f5741862eca0b2c1fe863a3deb9f9b7bad970b88806366f22b363a944654dda2
Instruction ID: 437a091e9cab8c7be166fd2b5219cdbb614c0776cf6c2908bc41f05bb0fd2197
Opcode Fuzzy Hash: f5741862eca0b2c1fe863a3deb9f9b7bad970b88806366f22b363a944654dda2
Instruction Fuzzy Hash: 5211F7B1B18B82B3DB209F65E84496A6361FBC4B89F449031EA4E83E34DF3CE549C704

Function 00007FFB0BC7BBC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 44threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7BBD8
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7BBF6
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7BC0A
SetFileAttributesW.KERNEL32 ref: 00007FFB0BC7BC1C
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7BC27
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7BC32
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7BC4F

Strings

SetFileAttributes, xrefs: 00007FFB0BC7BC48
Oi:SetFileAttributes, xrefs: 00007FFB0BC7BBCC

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Object_ThreadU_object@@$Arg_AttributesError@@FileFreeParseRestoreSaveSizeTuple_Win_
String ID: Oi:SetFileAttributes$SetFileAttributes
API String ID: 3759253704-1768512846
Opcode ID: dc9f2e8522dc54863ae2bb0a07badc674b31606ac1aa209e6edc197b26d702cb
Instruction ID: 5c84ee27198bc9f8d8486ba3b499b8024f6777b6f576c016ffdbfcea7ca19368
Opcode Fuzzy Hash: dc9f2e8522dc54863ae2bb0a07badc674b31606ac1aa209e6edc197b26d702cb
Instruction Fuzzy Hash: CF1103A5A18A82B2DB209B75EC549696371FFC4B94F849032E94F87B34CF7CD415C704

Function 00007FFB0BC75B80 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC75BA1
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC75BB5
?PyWinObject_AsResourceIdA@@YAHPEAU_object@@PEAPEADH@Z.PYWINTYPES311 ref: 00007FFB0BC75BCC
GetProcAddress.KERNEL32 ref: 00007FFB0BC75BE5
?PyWinObject_FreeResourceIdA@@YAXPEAD@Z.PYWINTYPES311 ref: 00007FFB0BC75BF3
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC75C07
?PyWinLong_FromVoidPtr@@YAPEAU_object@@PEBX@Z.PYWINTYPES311 ref: 00007FFB0BC75C1A

Strings

GetProcAddress, xrefs: 00007FFB0BC75C00
OO:GetProcAddress, xrefs: 00007FFB0BC75B90

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: U_object@@$Object_$Resource$AddressArg_Error@@FreeFromLong_ParseProcPtr@@SizeTuple_VoidWin_
String ID: GetProcAddress$OO:GetProcAddress
API String ID: 2964247294-1932483860
Opcode ID: 30db25680578375cc6b01099a355ad71dac1dd16ad9dde3e02b88383406ed809
Instruction ID: 615aa1baf755d2882894fe09e12e15cff25cc8556390401ca4b6fbfb196a352c
Opcode Fuzzy Hash: 30db25680578375cc6b01099a355ad71dac1dd16ad9dde3e02b88383406ed809
Instruction Fuzzy Hash: 161103A5B18983B1EA609F65F854A696360FBC4B94F88D031E94F83E34DF7CD549CB00

Function 00007FFB0BC75630 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 42threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC75643
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC75662
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC75676
AbortSystemShutdownW.ADVAPI32 ref: 00007FFB0BC75684
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7568F
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7569A
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC756B7

Strings

AbortSystemShutdown, xrefs: 00007FFB0BC756B0
O:AbortSystemShutdown, xrefs: 00007FFB0BC7563C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Object_ThreadU_object@@$AbortArg_Error@@FreeParseRestoreSaveShutdownSizeSystemTuple_Win_
String ID: AbortSystemShutdown$O:AbortSystemShutdown
API String ID: 1118267685-797590645
Opcode ID: c7b4bbdf65b0e2a4eee8f30f83fa334550b7da8f5a16021d39bd7932414431a6
Instruction ID: d39c3c7acd37b83ddb205b6c1cd32ac587e93df875592de1c744e2ab44f2574e
Opcode Fuzzy Hash: c7b4bbdf65b0e2a4eee8f30f83fa334550b7da8f5a16021d39bd7932414431a6
Instruction Fuzzy Hash: 6C1112A5A19A82B2DB249B36E84496963B0FFC5F80F849031DA4F87B34DF3CD445C704

Function 00007FFB0BC7CFA0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7CFBE
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7CFD2
PyList_New.PYTHON311 ref: 00007FFB0BC7CFDE
EnumResourceTypesW.KERNEL32 ref: 00007FFB0BC7CFFB
_Py_Dealloc.PYTHON311 ref: 00007FFB0BC7D00E
GetLastError.KERNEL32 ref: 00007FFB0BC7D016
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7D025

Strings

O:EnumResourceTypes, xrefs: 00007FFB0BC7CFB2
EnumResourceTypes, xrefs: 00007FFB0BC7D01E

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: U_object@@$Arg_DeallocEnumErrorError@@LastList_Object_ParseResourceSizeTuple_TypesWin_
String ID: EnumResourceTypes$O:EnumResourceTypes
API String ID: 1695953756-4281011403
Opcode ID: fa598f8dd296cc3c3b6328dd8ecd599c0bed0881b1b5285848b9adc40b78e7ec
Instruction ID: 1b1875668cedfbe70f6a6d619f2f0266e0137ff4308346402e4031c4aca6c178
Opcode Fuzzy Hash: fa598f8dd296cc3c3b6328dd8ecd599c0bed0881b1b5285848b9adc40b78e7ec
Instruction Fuzzy Hash: 761116E1A49647B1EF249B31EC44A7523A0EF85B91F44E035DA0FC6A74DF2DE486C714

Function 00007FFB0BC7B170 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 42threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7B183
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7B1A1
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7B1B5
SetConsoleTitleW.KERNEL32 ref: 00007FFB0BC7B1C3
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7B1CE
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7B1D9
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7B1F6

Strings

O:SetConsoleTitle, xrefs: 00007FFB0BC7B17C
SetConsoleTitle, xrefs: 00007FFB0BC7B1EF

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Object_ThreadU_object@@$Arg_ConsoleError@@FreeParseRestoreSaveSizeTitleTuple_Win_
String ID: O:SetConsoleTitle$SetConsoleTitle
API String ID: 1705875207-358701353
Opcode ID: f6638e2d7fb55b6f94d2b2e98bd1ac67c75cdadbe0e09b78b9dfd9f38fe6dbc7
Instruction ID: 8c1514319f9085b8cd226d9c87701a84431ce6410ef8277ecffb72131d751ebb
Opcode Fuzzy Hash: f6638e2d7fb55b6f94d2b2e98bd1ac67c75cdadbe0e09b78b9dfd9f38fe6dbc7
Instruction Fuzzy Hash: 7211EFA5A19A82B2DB249B35E85496963B0FBC5F85F849031EA4F83F34DF3CD455C704

Function 00007FFB0BC775D0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0BC775F8
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC77621

Strings

NNN, xrefs: 00007FFB0BC7765F
GetSystemFileCacheSize, xrefs: 00007FFB0BC775E7, 00007FFB0BC7761A
%s is not available on this platform, xrefs: 00007FFB0BC775EE

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Err_Error@@FormatU_object@@Win_
String ID: %s is not available on this platform$GetSystemFileCacheSize$NNN
API String ID: 1771588633-2489118426
Opcode ID: 3500b181cac3173f19966835d408cee78d68b88115a6896d6729cc79fc4933f4
Instruction ID: 2b5d212bfe2c3ed1c36272049d65f4fc857729f639350ae54431b43bebfc97a8
Opcode Fuzzy Hash: 3500b181cac3173f19966835d408cee78d68b88115a6896d6729cc79fc4933f4
Instruction Fuzzy Hash: 681112A5A08A82B1DA20DB65F8544696360FBC5F94F849132DD4F83F34DF7CD109C700

Function 00007FFB0BC72A90 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0BC72AB9
_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC72AD3
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC72AE7
GetHandleInformation.KERNEL32 ref: 00007FFB0BC72AFB
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC72B0E

Strings

GetHandleInformation, xrefs: 00007FFB0BC72AA8, 00007FFB0BC72B07
O:GetHandleInformation, xrefs: 00007FFB0BC72ACC
%s is not available on this platform, xrefs: 00007FFB0BC72AAF

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: U_object@@$Arg_Err_Error@@FormatHandleInformationObject_ParseSizeTuple_Win_
String ID: %s is not available on this platform$GetHandleInformation$O:GetHandleInformation
API String ID: 3247453039-154839077
Opcode ID: bea1adb5dfea84fdd8f83d16a9024314f8d1f8e473a8b675f03c897483865c35
Instruction ID: b2abadd530b910fb90acbb7834606fd5c8391e0e470df32ad564c1d3c114525a
Opcode Fuzzy Hash: bea1adb5dfea84fdd8f83d16a9024314f8d1f8e473a8b675f03c897483865c35
Instruction Fuzzy Hash: 6C113CA0B18A83B1EA249B34EC54A6963A1FFC0B44F80D036D90FC6A74DE6CE559C744

Function 00007FFB0A8BBE40 Relevance: 15.2, APIs: 10, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFB0A8BBE68
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFB0A8BBEBA
_RTC_Initialize.LIBCMT ref: 00007FFB0A8BBEE8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFB0A8BBF0E
__scrt_release_startup_lock.LIBCMT ref: 00007FFB0A8BBF39

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 1f0478804ec1087112200e5e3a73033cf14bdd43adb5721da7ca4e794a084b05
Instruction ID: d8e7738c18e98a31de7d100a8a5208ec8890556d3189e032193d9fd36ba04275
Opcode Fuzzy Hash: 1f0478804ec1087112200e5e3a73033cf14bdd43adb5721da7ca4e794a084b05
Instruction Fuzzy Hash: B381A1E3E2C70386FA54AB75D441EB92698AF89780F444CB5DA4C973E2DE3CE8468700

Function 00007FFB0A8B8D20 Relevance: 15.1, APIs: 10, Instructions: 122threadCOMMON

Download Yara Rule

APIs

PyCode_NewEmpty.PYTHON311 ref: 00007FFB0A8B8D49
PyFrame_New.PYTHON311 ref: 00007FFB0A8B8D6E
PyThreadState_EnterTracing.PYTHON311 ref: 00007FFB0A8B8DA9
PyThreadState_LeaveTracing.PYTHON311 ref: 00007FFB0A8B8DE0
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B8E0D
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B8E22
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B8E36
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B8E5A
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B8E6E
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B8E82

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dealloc$State_ThreadTracing$Code_EmptyEnterFrame_Leave
String ID:
API String ID: 293397190-0
Opcode ID: 6279ffdd2411b73e24bad23bbae8e7c1ee3a62ed25478a9a6f218e52b9973b03
Instruction ID: 2a7ee8fac2ff5ef09aa48bc2292491cc3e7bac2f6616b36109033df195eb03ee
Opcode Fuzzy Hash: 6279ffdd2411b73e24bad23bbae8e7c1ee3a62ed25478a9a6f218e52b9973b03
Instruction Fuzzy Hash: 4C4147B3A15B5196EA599F32E944D6877ACFB49BA4B0849B1CF4D03BA0DF3CE461C300

Function 00007FFB0A8B1250 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 139threadCOMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0A8B1373
PyThreadState_Get.PYTHON311 ref: 00007FFB0A8B13C7
_PyThreadState_UncheckedGet.PYTHON311 ref: 00007FFB0A8B143F

Strings

GenericAlias, xrefs: 00007FFB0A8B127B
%.200s() takes %.8s %zd positional argument%.1s (%zd given), xrefs: 00007FFB0A8B135D
propcache._helpers_c.GenericAlias, xrefs: 00007FFB0A8B1387, 00007FFB0A8B141C
exactly, xrefs: 00007FFB0A8B1351

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: State_Thread$Err_FormatUnchecked
String ID: %.200s() takes %.8s %zd positional argument%.1s (%zd given)$GenericAlias$exactly$propcache._helpers_c.GenericAlias
API String ID: 615364860-1588984601
Opcode ID: 0d5c707675b970255714db1315ef67a158cb35287ddb50f7b129ac6cdce7452c
Instruction ID: 765fe10de1f6ff6d10d85808dfd5aabf9beb6e201bae4b41582f07826f5f2e05
Opcode Fuzzy Hash: 0d5c707675b970255714db1315ef67a158cb35287ddb50f7b129ac6cdce7452c
Instruction Fuzzy Hash: CB51A1B3A29B4285EB209F21E414EA933A8FB49B84F544AB6DD8D4B7D0DF3CE445C340

Function 00007FFB0A8B2680 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFB0A8B27A9
PyErr_Format.PYTHON311 ref: 00007FFB0A8B27FB
PyErr_Format.PYTHON311 ref: 00007FFB0A8B2859

Strings

__set_name__, xrefs: 00007FFB0A8B276C, 00007FFB0A8B27E1, 00007FFB0A8B283F
propcache._helpers_c.cached_property.__set_name__, xrefs: 00007FFB0A8B286B
%.200s() takes %.8s %zd positional argument%.1s (%zd given), xrefs: 00007FFB0A8B27E8, 00007FFB0A8B2846
exactly, xrefs: 00007FFB0A8B27D5, 00007FFB0A8B2833

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Err_$Format$Occurred
String ID: %.200s() takes %.8s %zd positional argument%.1s (%zd given)$__set_name__$exactly$propcache._helpers_c.cached_property.__set_name__
API String ID: 1084603930-4164463965
Opcode ID: ed12a06416c7487eb7b1c5818203375afe6caa96ed5dfd44c15e18054efd2483
Instruction ID: 0efcb9122b41378dfd20aece94ead52d040c75ca6d7f719be7da1de1af70ee81
Opcode Fuzzy Hash: ed12a06416c7487eb7b1c5818203375afe6caa96ed5dfd44c15e18054efd2483
Instruction Fuzzy Hash: 3E5180F3A28B4295EA159B21E440EFA63A8FF48B90F140976DA8D037E4EF3DE454C740

Function 00007FFB0A8B54A0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 75threadCOMMON

Download Yara Rule

APIs

PyThreadState_Get.PYTHON311 ref: 00007FFB0A8B54B9
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B556A

Part of subcall function 00007FFB0A8B8D20: PyCode_NewEmpty.PYTHON311 ref: 00007FFB0A8B8D49
Part of subcall function 00007FFB0A8B8D20: PyFrame_New.PYTHON311 ref: 00007FFB0A8B8D6E

Part of subcall function 00007FFB0A8BB640: _PyThreadState_UncheckedGet.PYTHON311 ref: 00007FFB0A8BB65C
Part of subcall function 00007FFB0A8BB640: PyUnicode_FromFormat.PYTHON311 ref: 00007FFB0A8BB718
Part of subcall function 00007FFB0A8BB640: PyUnicode_AsUTF8.PYTHON311 ref: 00007FFB0A8BB729
Part of subcall function 00007FFB0A8BB640: _Py_Dealloc.PYTHON311 ref: 00007FFB0A8BB73D
Part of subcall function 00007FFB0A8BB640: _Py_Dealloc.PYTHON311 ref: 00007FFB0A8BB77F
Part of subcall function 00007FFB0A8BB640: _Py_Dealloc.PYTHON311 ref: 00007FFB0A8BB793
Part of subcall function 00007FFB0A8BB640: _Py_Dealloc.PYTHON311 ref: 00007FFB0A8BB998

_PyThreadState_UncheckedGet.PYTHON311 ref: 00007FFB0A8B5597
PyErr_SetString.PYTHON311 ref: 00007FFB0A8B55DA

Strings

__delete__, xrefs: 00007FFB0A8B55D0
propcache._helpers_c.under_cached_property.__set__, xrefs: 00007FFB0A8B5510, 00007FFB0A8B557C
__set__, xrefs: 00007FFB0A8B54DE
-, xrefs: 00007FFB0A8B54E5

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dealloc$State_Thread$UncheckedUnicode_$Code_EmptyErr_FormatFrame_FromString
String ID: -$__delete__$__set__$propcache._helpers_c.under_cached_property.__set__
API String ID: 1577353484-4004665947
Opcode ID: 3e80ab89cffecd2581ae480896f929c27da7c62a0d6fe32abc518a003f2442ee
Instruction ID: 0dfc1c8d0e0c1ef52bd114ac43fcfc0edcfa9e199a39e36efbbe05f55d31bded
Opcode Fuzzy Hash: 3e80ab89cffecd2581ae480896f929c27da7c62a0d6fe32abc518a003f2442ee
Instruction Fuzzy Hash: 013179A3A28B4391EA14DB32E850DA963A9FF85B94F4409B2D94E077E4DF3DE4418B00

Function 00007FFB0BC7C470 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56threadtimeCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7C4CB
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7C4F6
SetSystemTime.KERNEL32 ref: 00007FFB0BC7C504
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7C50F
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7C52A

Strings

SetSystemTime, xrefs: 00007FFB0BC7C523
hhhhhhhh:SetSystemTime, xrefs: 00007FFB0BC7C4A9

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Thread$Arg_Error@@ParseRestoreSaveSizeSystemTimeTuple_U_object@@Win_
String ID: SetSystemTime$hhhhhhhh:SetSystemTime
API String ID: 2208933268-3782942145
Opcode ID: a1a35b9e07e8cfb4c64347660b1283ed3d003146fb195fa3faccdb4051e9192c
Instruction ID: b3bd8268a971e44bf305b717ef898811154ccad08fc4fce5bcdc770e9cca6c59
Opcode Fuzzy Hash: a1a35b9e07e8cfb4c64347660b1283ed3d003146fb195fa3faccdb4051e9192c
Instruction Fuzzy Hash: 44214FB6B0CA82B1DB10CB21E8585BD33A1FB98B40F928136DA5E87B60DF3DD509C700

Function 00007FFB0BC73B35 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC73B5B
PyErr_SetString.PYTHON311 ref: 00007FFB0BC73B77
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC73B8D
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC73BB6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB0BC73BC7
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC73BD2
LocalFree.KERNEL32 ref: 00007FFB0BC73BE2
_Py_Dealloc.PYTHON311 ref: 00007FFB0BC73BF6

Strings

Access violation (probably due to missing string inserts), xrefs: 00007FFB0BC73B66

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Free$Object_$DeallocErr_Error@@Eval_LocalRestoreStringThreadU_object@@Win_free
String ID: Access violation (probably due to missing string inserts)
API String ID: 2240754721-128206310
Opcode ID: 2398a8ad2e7bb9a9fff3f28a8d0f05baa49660c1819c5d9160c91ebf0edc7af7
Instruction ID: 339a330ceae3087a208e9498839c9d238805cd1ffcceed430739f6127414a7e6
Opcode Fuzzy Hash: 2398a8ad2e7bb9a9fff3f28a8d0f05baa49660c1819c5d9160c91ebf0edc7af7
Instruction Fuzzy Hash: 1B213066A48A82B2EA75DB22E4149396361FBC4F94F449031DE5F83B64CF3DE446D708

Function 00007FFB0BC72290 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0BC722BC
PyArg_ParseTupleAndKeywords.PYTHON311 ref: 00007FFB0BC722F7
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7230B
MonitorFromWindow.USER32 ref: 00007FFB0BC7231E

Strings

O|k:MonitorFromWindow, xrefs: 00007FFB0BC722ED
%s is not available on this platform, xrefs: 00007FFB0BC722B2
MonitorFromWindow, xrefs: 00007FFB0BC722AB

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_Err_FormatFromKeywordsMonitorObject_ParseTupleU_object@@Window
String ID: %s is not available on this platform$MonitorFromWindow$O|k:MonitorFromWindow
API String ID: 3205472161-3164843671
Opcode ID: c290e1f77e8b79356909d79fac2cbdc51b19cc43468444595fb386e82a4b26e8
Instruction ID: 54a256068cad6f185bad80ad538b70c04bc29de171ddaafa69257c84b779a4d5
Opcode Fuzzy Hash: c290e1f77e8b79356909d79fac2cbdc51b19cc43468444595fb386e82a4b26e8
Instruction Fuzzy Hash: 85111CE1A08B46B1EE609B21E844A696360FBC1B94F809136E94FC7B74DE3CE159C744

Function 00007FFB0BC7D440 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 45threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7D473
PyCallable_Check.PYTHON311 ref: 00007FFB0BC7D485
PyErr_SetString.PYTHON311 ref: 00007FFB0BC7D4A0
PyThreadState_Swap.PYTHON311 ref: 00007FFB0BC7D4B5
PyThreadState_Swap.PYTHON311 ref: 00007FFB0BC7D4C3
PyObject_CallObject.PYTHON311 ref: 00007FFB0BC7D4D7

Strings

OOO, xrefs: 00007FFB0BC7D469
First argument must be an exception handler which accepts 2 arguments., xrefs: 00007FFB0BC7D48F

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: State_SwapThread$Arg_CallCallable_CheckErr_ObjectObject_ParseSizeStringTuple_
String ID: First argument must be an exception handler which accepts 2 arguments.$OOO
API String ID: 3456591379-1352449461
Opcode ID: bfb8b153776623f4053ff9d42d31c6394271e025ad0f95cc2b16f5e486181bb3
Instruction ID: 838c9f088859bb6b79ff8c2355361a127ede0aa61711a2eaf4abf2e4b787f8f1
Opcode Fuzzy Hash: bfb8b153776623f4053ff9d42d31c6394271e025ad0f95cc2b16f5e486181bb3
Instruction Fuzzy Hash: 5F112BB1B08A82B2DB20CB35F84486933A4FB88F80F519036DA5F87A24DE3CD498C704

Function 00007FFB0BC78760 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 45registryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC78781
?PyWinObject_AsHKEY@@YAHPEAU_object@@PEAPEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC78799
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC787B3
RegDeleteKeyW.ADVAPI32 ref: 00007FFB0BC787CC
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC787D9
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC787EC

Strings

RegDeleteKey, xrefs: 00007FFB0BC787E5
OO:RegDeleteKey, xrefs: 00007FFB0BC78770

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_U_object@@$Arg_DeleteError@@FreeParseSizeTuple_Win_Y__@@@
String ID: OO:RegDeleteKey$RegDeleteKey
API String ID: 1909801613-662082429
Opcode ID: b4b4eeaa570e99c7f84df853695691f9b45e272dd18573419bf667f1c76595a6
Instruction ID: b770554a91d46269f81cb54cc1cac89a13888661fb6c4fe99a0678537f0082e4
Opcode Fuzzy Hash: b4b4eeaa570e99c7f84df853695691f9b45e272dd18573419bf667f1c76595a6
Instruction Fuzzy Hash: C611F4A5B18A82B2DB609F75E844A6A6360FBC4B94F449035EA4F83E34DF7CD549CB04

Function 00007FFB0BC72B30 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0BC72B59
_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC72B82
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC72B96
SetHandleInformation.KERNEL32 ref: 00007FFB0BC72BAE
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC72BC1

Strings

SetHandleInformation, xrefs: 00007FFB0BC72B48, 00007FFB0BC72BBA
Okk:SetHandleInformation, xrefs: 00007FFB0BC72B7B
%s is not available on this platform, xrefs: 00007FFB0BC72B4F

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: U_object@@$Arg_Err_Error@@FormatHandleInformationObject_ParseSizeTuple_Win_
String ID: %s is not available on this platform$Okk:SetHandleInformation$SetHandleInformation
API String ID: 3247453039-2433813827
Opcode ID: 05e03558a9400f21d846e6a25a787920c3ee7d9c01e4bc061d7255ed5a770c17
Instruction ID: 67d1f76a23fd5cdd7e8b69c468eab024b0a4c1819834ffe7f42be5d7923b49f8
Opcode Fuzzy Hash: 05e03558a9400f21d846e6a25a787920c3ee7d9c01e4bc061d7255ed5a770c17
Instruction Fuzzy Hash: 7E11ECE5B18B47F1EA648F25E844AA52370FBC1B84F809036E54F86B74DE3CE55AC744

Function 00007FFB0BC7BE60 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 41threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7BE85
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7BE99
?PyWinLong_AsVoidPtr@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7BEAD
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7BEC1
SetClassLongPtrW.USER32 ref: 00007FFB0BC7BED8
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7BEE4
?PyWinLong_FromVoidPtr@@YAPEAU_object@@PEBX@Z.PYWINTYPES311 ref: 00007FFB0BC7BEED

Strings

OiO:SetClassLong, xrefs: 00007FFB0BC7BE7E

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: U_object@@$Eval_Long_Ptr@@ThreadVoid$Arg_ClassFromLongObject_ParseRestoreSaveSizeTuple_
String ID: OiO:SetClassLong
API String ID: 2310853525-51586606
Opcode ID: 84d70f8caab229f3ee6291ac7fa97fda40a7f2383376f6e651956c7f9f11191d
Instruction ID: 524efa55b50aef55a1d2b4dacee211806d6a02e52f729ef7cd5d57736f6e836d
Opcode Fuzzy Hash: 84d70f8caab229f3ee6291ac7fa97fda40a7f2383376f6e651956c7f9f11191d
Instruction Fuzzy Hash: FF11D0B5618A82B2DA109B65F85486A73A1FBC4F80F449136EA8F83F38DF3CD445CB40

Function 00007FFB0BC7C7C0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7C7D8
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7C7EC
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7C800
TerminateProcess.KERNEL32 ref: 00007FFB0BC7C812
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7C81D
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7C83A

Strings

Oi:TerminateProcess, xrefs: 00007FFB0BC7C7CC
TerminateProcess, xrefs: 00007FFB0BC7C833

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_ThreadU_object@@$Arg_Error@@Object_ParseProcessRestoreSaveSizeTerminateTuple_Win_
String ID: Oi:TerminateProcess$TerminateProcess
API String ID: 169435591-979489166
Opcode ID: 7513ec52e482104be0a201bc308cd402fac4e587128924f578bdfab3f4f4bf7a
Instruction ID: 8ede846d9a8605c0b72777d6bcd29e361696c5ca13cda08014425d200aa7efc6
Opcode Fuzzy Hash: 7513ec52e482104be0a201bc308cd402fac4e587128924f578bdfab3f4f4bf7a
Instruction Fuzzy Hash: A111F1A1A18A82F2DB609B75E84486A6370FBC4B84F849032E94F83A34DF7CD515C704

Function 00007FFB0BC7C680 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 39threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7C6A5
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7C6C0
OpenProcess.KERNEL32 ref: 00007FFB0BC7C6D6
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7C6E2
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7C6FB

Strings

OpenProcess, xrefs: 00007FFB0BC7C6F4
kik:OpenProcess, xrefs: 00007FFB0BC7C69E

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Thread$Arg_Error@@OpenParseProcessRestoreSaveSizeTuple_U_object@@Win_
String ID: OpenProcess$kik:OpenProcess
API String ID: 2644888850-1468941106
Opcode ID: 6f9092c1a1efae9175eb6a1b8b5bb1c0baf88efd90997053947709b6043a895e
Instruction ID: a85abc454601627438e12e89ba86b317184fb03e0625b179d544a0bba72484ba
Opcode Fuzzy Hash: 6f9092c1a1efae9175eb6a1b8b5bb1c0baf88efd90997053947709b6043a895e
Instruction Fuzzy Hash: 700100B5A1C782B2DA10DB21F84486A73A1FBC5B90F849031EA4E83F28DF7CE515CB04

Function 00007FFB0BC7C720 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 39threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7C745
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7C760
OpenThread.KERNEL32 ref: 00007FFB0BC7C776
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7C782
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7C79B

Strings

OpenThread, xrefs: 00007FFB0BC7C794
kik:OpenThread, xrefs: 00007FFB0BC7C73E

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Thread$Eval_$Arg_Error@@OpenParseRestoreSaveSizeTuple_U_object@@Win_
String ID: OpenThread$kik:OpenThread
API String ID: 4237428625-2332112476
Opcode ID: 4b7b7e368a47aa9c4fbec6eb78196632c05c95ef22576500e77094d26b34fd47
Instruction ID: ac1161fe387f0c76c49b32695a0878324e329028773f61a0db9db20ad685f9b2
Opcode Fuzzy Hash: 4b7b7e368a47aa9c4fbec6eb78196632c05c95ef22576500e77094d26b34fd47
Instruction Fuzzy Hash: 7D0112B5A1C782B2DA119B21F80486A73A1FBC5BD0F849035EA4E83F28DF3CE415CB04

Function 00007FFB0BC79720 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 39threadregistryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC79733
?PyWinObject_AsHKEY@@YAHPEAU_object@@PEAPEAUHKEY__@@@Z.PYWINTYPES311 ref: 00007FFB0BC79747
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7975B
RegFlushKey.ADVAPI32 ref: 00007FFB0BC79769
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC79774
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7978C

Strings

O:RegFlushKey, xrefs: 00007FFB0BC7972C
RegFlushKey, xrefs: 00007FFB0BC79785

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_ThreadU_object@@$Arg_Error@@FlushObject_ParseRestoreSaveSizeTuple_Win_Y__@@@
String ID: O:RegFlushKey$RegFlushKey
API String ID: 1527289935-1521764102
Opcode ID: bc88479b207027c21975a7d0382a9051ee2db4d0e93f6c0e34a2fe6b0d3e3ac0
Instruction ID: d45eff06ae0cb1048924972a8b22a94dcf96e00f333b17296b50f667e6e53d4a
Opcode Fuzzy Hash: bc88479b207027c21975a7d0382a9051ee2db4d0e93f6c0e34a2fe6b0d3e3ac0
Instruction Fuzzy Hash: 7B1100A5A18A82B1DA209F35E84486963B0FBC9F84F889031EA4F87F38CF3CD555C704

Function 00007FFB0BC737F0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC73803
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC73817
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7382B
FindCloseChangeNotification.KERNEL32 ref: 00007FFB0BC73839
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC73844
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC73861

Strings

O:FindCloseChangeNotification, xrefs: 00007FFB0BC737FC
FindCloseChangeNotification, xrefs: 00007FFB0BC7385A

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_ThreadU_object@@$Arg_ChangeCloseError@@FindNotificationObject_ParseRestoreSaveSizeTuple_Win_
String ID: FindCloseChangeNotification$O:FindCloseChangeNotification
API String ID: 1898143723-4193707565
Opcode ID: c61b7dc3d6a9acdac4a1e5556760f9fe32032b53aeff6d935503e5aba291a435
Instruction ID: 2b46283816c5c9e5a82091938f10d8c1b527ab93fc8006783a0534e9e7b0a08d
Opcode Fuzzy Hash: c61b7dc3d6a9acdac4a1e5556760f9fe32032b53aeff6d935503e5aba291a435
Instruction Fuzzy Hash: 40010CA1B18A86B1DA249B36E88486963B0FBC4B85F449032EA4F83A34DF3CD5558704

Function 00007FFB0BC7CB20 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7CB38
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7CB52
BeginUpdateResourceW.KERNEL32 ref: 00007FFB0BC7CB6A
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7CB78
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7CB8C
?PyWinLong_FromHANDLE@@YAPEAU_object@@PEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7CB9F

Strings

BeginUpdateResource, xrefs: 00007FFB0BC7CB85
Oi:BeginUpdateResource, xrefs: 00007FFB0BC7CB2C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: U_object@@$Object_$Arg_BeginError@@FreeFromLong_ParseResourceSizeTuple_UpdateWin_
String ID: BeginUpdateResource$Oi:BeginUpdateResource
API String ID: 3916091879-1342297044
Opcode ID: 9408ce59606db42375068bcc399344387d55017de48af5de323cbcefdcec8745
Instruction ID: e2a3f2795e484ecd666aefd483570673a422117ca7cfa4687b45ca8b2154a256
Opcode Fuzzy Hash: 9408ce59606db42375068bcc399344387d55017de48af5de323cbcefdcec8745
Instruction Fuzzy Hash: EC01E565B18A83B2DA209F71E84596A6760FBC4B54F849031E94F87A34DF7CD159CB04

Function 00007FFB0BC74DA0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC74DB3
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC74DCD
GetFileAttributesW.KERNEL32 ref: 00007FFB0BC74DE1
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC74DEE
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC74E02
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC74E1B

Strings

O:GetFileAttributes, xrefs: 00007FFB0BC74DAC
GetFileAttributes, xrefs: 00007FFB0BC74DFB

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Object_SizeU_object@@$Arg_AttributesBuildError@@FileFreeParseTuple_Value_Win_
String ID: GetFileAttributes$O:GetFileAttributes
API String ID: 1402688794-3778796171
Opcode ID: f6733de66a9b7fef26b53aff8b8641a2bff713fe99aa2bca168489213d5ef016
Instruction ID: 7e66abf819c1829a81bb67f01153531fafd834d2b89e4f218c2b7e2f8eb60e1a
Opcode Fuzzy Hash: f6733de66a9b7fef26b53aff8b8641a2bff713fe99aa2bca168489213d5ef016
Instruction Fuzzy Hash: 1E0180A5B08A42B2EB349B35F88096A6360FBC8B55F849131DA4F82F74DE3CD559C704

Function 00007FFB0BC747D0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 33threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC747DE
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC747F9
GetCursorPos.USER32 ref: 00007FFB0BC74807
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC74812
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7482F

Strings

GetCursorPos, xrefs: 00007FFB0BC74828
:GetCursorPos, xrefs: 00007FFB0BC747D7

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Thread$Arg_CursorError@@ParseRestoreSaveSizeTuple_U_object@@Win_
String ID: :GetCursorPos$GetCursorPos
API String ID: 512981923-1774093815
Opcode ID: 473c40fdc74306b6c6975737fe076d1ac4ca392ad76fa4557da50d2a95954f82
Instruction ID: 470ce396283b7c2b3301b54b71b881a00e43a4660679022381d1db840eaeb5d9
Opcode Fuzzy Hash: 473c40fdc74306b6c6975737fe076d1ac4ca392ad76fa4557da50d2a95954f82
Instruction Fuzzy Hash: 620121A4B19683B2DA249B32F88486963A5FFC4B45F849031D64F83F34DF3CD5158704

Function 00007FFB0B2516E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 129COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON311 ref: 00007FFB0B2517C0
PyUnicode_FromString.PYTHON311 ref: 00007FFB0B251824
_PyArg_BadArgument.PYTHON311 ref: 00007FFB0B25391A
_PyUnicode_Ready.PYTHON311 ref: 00007FFB0B25392B

Strings

argument, xrefs: 00007FFB0B25390C
category, xrefs: 00007FFB0B253913
a unicode character, xrefs: 00007FFB0B253905

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Unicode_$Arg_ArgumentFromReadyStringSubtypeType_
String ID: a unicode character$argument$category
API String ID: 2803103377-2068800536
Opcode ID: c9d1e3034f28ed3d090bffcd2b1c2b74113939870b399ed50bdb72791e912429
Instruction ID: 0809bc8ebfe961ff9acdff4a1edfd2197a83c55b470a5d0f90675f2ed644eb87
Opcode Fuzzy Hash: c9d1e3034f28ed3d090bffcd2b1c2b74113939870b399ed50bdb72791e912429
Instruction Fuzzy Hash: 9451E1E2A08A4782EB249B29D454FB92BA1EB44B85F14C435DA4FD73B4DF3CE855C304

Function 00007FFB0A8B9560 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

PyUnicode_New.PYTHON311(?,?,?,?,?,00007FFB0C3736E0,00000000,00007FFB0A8B2BC8), ref: 00007FFB0A8B957A
_PyUnicode_Ready.PYTHON311(?,?,?,?,?,00007FFB0C3736E0,00000000,00007FFB0A8B2BC8), ref: 00007FFB0A8B9619
memcpy.VCRUNTIME140(?,?,?,?,?,00007FFB0C3736E0,00000000,00007FFB0A8B2BC8), ref: 00007FFB0A8B968D

Strings

join() result is too long for a Python string, xrefs: 00007FFB0A8B96EC

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Unicode_$Readymemcpy
String ID: join() result is too long for a Python string
API String ID: 1655386745-3415320053
Opcode ID: acd39e08a73fda63dc99f828713df8b1760fbdd68455438beee5bb79f2a84ee4
Instruction ID: d0c19f571da75b343b43d0ffa68351865101636d3012541dfdb01ad83074db1a
Opcode Fuzzy Hash: acd39e08a73fda63dc99f828713df8b1760fbdd68455438beee5bb79f2a84ee4
Instruction Fuzzy Hash: 354162B3A28B4286EA148B25E440E797798BB45BE4F540A75DF6E077D4DF3CD845C700

Function 00007FFB0B251590 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 112COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON311 ref: 00007FFB0B251668
PyUnicode_FromString.PYTHON311 ref: 00007FFB0B25168D
_PyArg_BadArgument.PYTHON311 ref: 00007FFB0B2538AE
_PyUnicode_Ready.PYTHON311 ref: 00007FFB0B2538BE

Strings

argument, xrefs: 00007FFB0B2538A0
a unicode character, xrefs: 00007FFB0B253899
bidirectional, xrefs: 00007FFB0B2538A7

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Unicode_$Arg_ArgumentFromReadyStringSubtypeType_
String ID: a unicode character$argument$bidirectional
API String ID: 2803103377-2110215792
Opcode ID: 79e1f8ae2df2e93481f857dbc231cf2a034c20faf15badcceea9109bcd0af3e1
Instruction ID: 50e0574f404ba86f9afac47575cb59b7b8db214663f0183bce4be075fbcf0be3
Opcode Fuzzy Hash: 79e1f8ae2df2e93481f857dbc231cf2a034c20faf15badcceea9109bcd0af3e1
Instruction Fuzzy Hash: 3741D0A1B1864382EB589B35C454FB92BA1EB48B85F58C535DA4FD72B4DF3CE8958300

Function 00007FFB0B254498 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON311 ref: 00007FFB0B2544CF
PyUnicode_FromString.PYTHON311 ref: 00007FFB0B2544EB
memcpy.VCRUNTIME140 ref: 00007FFB0B254567
PyOS_snprintf.PYTHON311 ref: 00007FFB0B2545A9
PyUnicode_FromStringAndSize.PYTHON311 ref: 00007FFB0B2545D6

Strings

, xrefs: 00007FFB0B25457F
%04X, xrefs: 00007FFB0B254594

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: FromStringUnicode_$S_snprintfSizeSubtypeType_memcpy
String ID: $%04X
API String ID: 762632776-4013080060
Opcode ID: 86c188bc8851d71fee5143397eab43a3575e426cb52b14b86a1d2f1ad77da2b4
Instruction ID: 89653aef0df0989e65714e8bffe927f5f3e13dc250a5314ed6f44d63e022b4bc
Opcode Fuzzy Hash: 86c188bc8851d71fee5143397eab43a3575e426cb52b14b86a1d2f1ad77da2b4
Instruction Fuzzy Hash: DF31C7E2A1898241EB21AB24D814FB96BA1FF54B94F448335C96F877E8DF3CE585C300

Function 00007FFB0A8B99B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

PyGC_Disable.PYTHON311(?,?,00000001,00007FFB0A8B7738), ref: 00007FFB0A8B9A1A
PyType_Ready.PYTHON311(?,?,00000001,00007FFB0A8B7738), ref: 00007FFB0A8B9A2F
PyGC_Enable.PYTHON311(?,?,00000001,00007FFB0A8B7738), ref: 00007FFB0A8B9A4A
PyErr_Format.PYTHON311(?,?,00000001,00007FFB0A8B7738), ref: 00007FFB0A8B9A75
PyErr_Format.PYTHON311(?,?,00000001,00007FFB0A8B7738), ref: 00007FFB0A8B9A9B

Strings

extension type '%.200s' has no __dict__ slot, but base type '%.200s' has: either add 'cdef dict __dict__' to the extension type or add '__slots__ = [...]' to the base type, xrefs: 00007FFB0A8B9A64
base class '%.200s' is not a heap type, xrefs: 00007FFB0A8B9A8D

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Err_Format$DisableEnableReadyType_
String ID: base class '%.200s' is not a heap type$extension type '%.200s' has no __dict__ slot, but base type '%.200s' has: either add 'cdef dict __dict__' to the extension type or add '__slots__ = [...]' to the base type
API String ID: 1172866183-1088126419
Opcode ID: b6ea4228526c8cfa56567974f304f9a6b435af26dd291d63358df5bef4b4df74
Instruction ID: a9cc48498dbc5f799e2870ecda8f8b40dcaebe545ab7f6856bfc8d0dbc634a8b
Opcode Fuzzy Hash: b6ea4228526c8cfa56567974f304f9a6b435af26dd291d63358df5bef4b4df74
Instruction Fuzzy Hash: 6821C1B3F24B4282EB448B69E445DA93364FB49BA4F141972EE6E473E5DF3CE4958300

Function 00007FFB0A8B9340 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

PyDict_Next.PYTHON311 ref: 00007FFB0A8B938C
PyDict_Next.PYTHON311 ref: 00007FFB0A8B93BB
PyErr_Format.PYTHON311 ref: 00007FFB0A8B93E7
PyErr_Format.PYTHON311 ref: 00007FFB0A8B940D

Strings

__reduce_cython__, xrefs: 00007FFB0A8B93D6, 00007FFB0A8B93FC
%s() got an unexpected keyword argument '%U', xrefs: 00007FFB0A8B93DD
%.200s() keywords must be strings, xrefs: 00007FFB0A8B9403

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dict_Err_FormatNext
String ID: %.200s() keywords must be strings$%s() got an unexpected keyword argument '%U'$__reduce_cython__
API String ID: 4074058445-4273115525
Opcode ID: 703e765f3accd6ae7ea669064a64f22bf775b320f952d61a525b506f811de20d
Instruction ID: 7e2c128728a5fda7dfbc5dd08ce3c3a50dbce193f074e93f7dc3253e2f09ed84
Opcode Fuzzy Hash: 703e765f3accd6ae7ea669064a64f22bf775b320f952d61a525b506f811de20d
Instruction Fuzzy Hash: 5B2156A3A28B4291EB548F65E444FB673A4FB84B48F546471EA4E476E4DF3CD489C700

Function 00007FFB0BC77690 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0BC776BC
_PyArg_ParseTupleAndKeywords_SizeT.PYTHON311 ref: 00007FFB0BC77701

Strings

kk|k:SetSystemFileCacheSize, xrefs: 00007FFB0BC776ED
%s is not available on this platform, xrefs: 00007FFB0BC776B2
SetSystemFileCacheSize, xrefs: 00007FFB0BC776AB, 00007FFB0BC7772D

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_Err_FormatKeywords_ParseSizeTuple
String ID: %s is not available on this platform$SetSystemFileCacheSize$kk|k:SetSystemFileCacheSize
API String ID: 318405110-505259323
Opcode ID: 52a8b8962502f2b1fd758cf885d9975139b01c0a2fad1603d505daea9a6dcbad
Instruction ID: c3f0446d3bc076de3ac0ee23a1122b646760b87457fb27b09aeaf2913426af5f
Opcode Fuzzy Hash: 52a8b8962502f2b1fd758cf885d9975139b01c0a2fad1603d505daea9a6dcbad
Instruction Fuzzy Hash: CC110DA5A08A46B1EA609B25E844A6533B0FBD4B84F909136DA4EC3E34DF3CE559CB04

Function 00007FFB0BC7C230 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 43threadtimeCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7C24D
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7C270
GetSystemTime.KERNEL32 ref: 00007FFB0BC7C27E
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7C287
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7C2D6

Strings

(hhhhhhhh), xrefs: 00007FFB0BC7C2C1
:GetSystemTime, xrefs: 00007FFB0BC7C246

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_SizeThread$Arg_BuildParseRestoreSaveSystemTimeTuple_Value_
String ID: (hhhhhhhh)$:GetSystemTime
API String ID: 3355048987-484796045
Opcode ID: a70e8385e3296c017863e88000e8675f6e40dadd2fe5697f753898b7719287be
Instruction ID: 86685a9d12bfe73efda7be8c37837aa7c7f02ce4d01281790e66c9f0089ed7aa
Opcode Fuzzy Hash: a70e8385e3296c017863e88000e8675f6e40dadd2fe5697f753898b7719287be
Instruction Fuzzy Hash: E0112CB2A18692A3D7509F61F85143AB3A1FBC4B51F405036FA8E82E68EF7CD018DB10

Function 00007FFB0B2541C8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON311 ref: 00007FFB0B254201
_PyUnicode_Ready.PYTHON311 ref: 00007FFB0B254214
PyErr_Occurred.PYTHON311 ref: 00007FFB0B25423E
PyLong_FromLong.PYTHON311 ref: 00007FFB0B25424B

Strings

argument, xrefs: 00007FFB0B2541F3
combining, xrefs: 00007FFB0B2541FA
a unicode character, xrefs: 00007FFB0B2541EC

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Arg_ArgumentErr_FromLongLong_OccurredReadyUnicode_
String ID: a unicode character$argument$combining
API String ID: 3097524968-4202047184
Opcode ID: 8dcec4442920f3b8f18acdd6a11acb662b49feb7bbe0bfb657696819d5b5ca8f
Instruction ID: 34a44ff285e36082c99fd22f9a7023faf42fa003326cf3f0dda9acb0e6d1a84e
Opcode Fuzzy Hash: 8dcec4442920f3b8f18acdd6a11acb662b49feb7bbe0bfb657696819d5b5ca8f
Instruction Fuzzy Hash: 2101C4A0A0864B86EA54BB71E845E746AA0AF59B94F54D134D93FC73B8DF3CE4C48300

Function 00007FFB0B254A44 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON311 ref: 00007FFB0B254A7D
_PyUnicode_Ready.PYTHON311 ref: 00007FFB0B254A90
PyErr_Occurred.PYTHON311 ref: 00007FFB0B254ABA
PyLong_FromLong.PYTHON311 ref: 00007FFB0B254AC7

Strings

argument, xrefs: 00007FFB0B254A6F
a unicode character, xrefs: 00007FFB0B254A68
mirrored, xrefs: 00007FFB0B254A76

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Arg_ArgumentErr_FromLongLong_OccurredReadyUnicode_
String ID: a unicode character$argument$mirrored
API String ID: 3097524968-4001128513
Opcode ID: c10d4c018a97ffc3e2d3961057942d7e2c7a14af83ba5a253b81f33c79b69d04
Instruction ID: 190da5c2b936ac304157da8dca86232d49f3e4484cbf350f62b5f6c889f8526c
Opcode Fuzzy Hash: c10d4c018a97ffc3e2d3961057942d7e2c7a14af83ba5a253b81f33c79b69d04
Instruction Fuzzy Hash: 570161A0E0864346EA94BB32E854EB86A50EF59BA4F54D135D92FC63B8DF3CE4848344

Function 00007FFB0BC7E1C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39keyboardCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7E1F1
MapVirtualKeyW.USER32 ref: 00007FFB0BC7E20D
PyLong_FromLong.PYTHON311 ref: 00007FFB0BC7E215
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7E225
MapVirtualKeyExW.USER32 ref: 00007FFB0BC7E23C
PyLong_FromLong.PYTHON311 ref: 00007FFB0BC7E244

Strings

ii|O, xrefs: 00007FFB0BC7E1E7

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: FromLongLong_Virtual$Arg_Object_ParseSizeTuple_U_object@@
String ID: ii|O
API String ID: 3909998583-1166409153
Opcode ID: d7d8f1ec0c27ad4c8a49dfe6f4742cb426916d21da93dca2aa4590d7e968df43
Instruction ID: cce6cef7d0fbc1995a5ccea99567d6cc7eb48afdd22c69ca14830264402bf198
Opcode Fuzzy Hash: d7d8f1ec0c27ad4c8a49dfe6f4742cb426916d21da93dca2aa4590d7e968df43
Instruction Fuzzy Hash: 95011EB6B1C782A2DA549B60F85486A7361FBC5B80F40A035F94F83B64DE3CE955CB00

Function 00007FFB0BC7B5E0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37threadprocessCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7B600
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7B61B
WinExec.KERNEL32 ref: 00007FFB0BC7B62D
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7B638
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7B651

Strings

s|i:WinExec, xrefs: 00007FFB0BC7B5EF
WinExec, xrefs: 00007FFB0BC7B64A

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Thread$Arg_Error@@ExecParseRestoreSaveSizeTuple_U_object@@Win_
String ID: WinExec$s|i:WinExec
API String ID: 1160648114-1679636345
Opcode ID: 066d0be5e83cc2c24963e0651ee565d7ec04af4bc1a3f7f2476ad78855360603
Instruction ID: dfa189235d3869673dc39583d81650de540e060387190c1f7cd91f69853293a8
Opcode Fuzzy Hash: 066d0be5e83cc2c24963e0651ee565d7ec04af4bc1a3f7f2476ad78855360603
Instruction Fuzzy Hash: 3E01E5A5A18A82F2D624DB25EC448696371FBC9B84F945131EA4F83B38DF3CD555C704

Function 00007FFB0BC7BDC0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7BDE5
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7BDF9
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7BE0D
SetWindowWord.USER32 ref: 00007FFB0BC7BE25
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7BE31
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7BE40

Strings

OiH:SetWindowWord, xrefs: 00007FFB0BC7BDDE

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_SizeThread$Arg_BuildObject_ParseRestoreSaveTuple_U_object@@Value_WindowWord
String ID: OiH:SetWindowWord
API String ID: 2633201906-1636800532
Opcode ID: a7f3ace7ac768300c2203b929bcc186af05ca56306aea5ce0f9df8facddd7da1
Instruction ID: 4d8481656f8e12818397b64531937ce6d8ef8e034538843b92baa1c95da62e42
Opcode Fuzzy Hash: a7f3ace7ac768300c2203b929bcc186af05ca56306aea5ce0f9df8facddd7da1
Instruction Fuzzy Hash: 0501FEA5A18B82A2DB109B21E94446A63A1FBC4B90F445032EA8F83B68DF3CD405CB00

Function 00007FFB0BC73C30 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 35threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC73C48
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC73C63
GenerateConsoleCtrlEvent.KERNEL32 ref: 00007FFB0BC73C74
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC73C7F
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC73C9C

Strings

ll:GenerateConsoleCtrlEvent, xrefs: 00007FFB0BC73C3C
GenerateConsoleCtrlEvent, xrefs: 00007FFB0BC73C95

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Thread$Arg_ConsoleCtrlError@@EventGenerateParseRestoreSaveSizeTuple_U_object@@Win_
String ID: GenerateConsoleCtrlEvent$ll:GenerateConsoleCtrlEvent
API String ID: 3984065460-3675785453
Opcode ID: f7e634db51fa59fce4bf3074a7d51fbd6d042d8048c0623caaddd674fe3e3759
Instruction ID: 3615242a0a19b8d1499d742d803a9b149b68630e3dfc6c5095b046446b46e9a9
Opcode Fuzzy Hash: f7e634db51fa59fce4bf3074a7d51fbd6d042d8048c0623caaddd674fe3e3759
Instruction Fuzzy Hash: 480104A5A18682B2D6549B35F88486963B1FBC9B85F849031E64F83B34DF3CD555C704

Function 00007FFB0BC7B220 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 35threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7B238
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7B253
SetCursorPos.USER32 ref: 00007FFB0BC7B264
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7B26F
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7B28C

Strings

(ii):SetCursorPos, xrefs: 00007FFB0BC7B22C
SetCursorPos, xrefs: 00007FFB0BC7B285

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Thread$Arg_CursorError@@ParseRestoreSaveSizeTuple_U_object@@Win_
String ID: (ii):SetCursorPos$SetCursorPos
API String ID: 512981923-2583399437
Opcode ID: 8919b500bba63f5ccbf87ee7c17ad460f7d3c2aff0fbe7a5cf41bf571b661337
Instruction ID: 1d93756fac9ab54775df946b6425f7a4379e773069e6140adaa8279bf53396f2
Opcode Fuzzy Hash: 8919b500bba63f5ccbf87ee7c17ad460f7d3c2aff0fbe7a5cf41bf571b661337
Instruction Fuzzy Hash: 470104A5A19A82B2D6549B35E88486963B1FBD4B85F849031E64F83F34CF3CD5568704

Function 00007FFB0BC727F0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 35threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC72808
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC72823
Beep.KERNEL32 ref: 00007FFB0BC72834
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7283F
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7285C

Strings

Beep, xrefs: 00007FFB0BC72855
ii:Beep, xrefs: 00007FFB0BC727FC

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Thread$Arg_BeepError@@ParseRestoreSaveSizeTuple_U_object@@Win_
String ID: Beep$ii:Beep
API String ID: 2893205920-3516216599
Opcode ID: 6f3b99d1c6eeba342e9e7fb125e76ead648ffb48493b092a212f0e3fb3c4416b
Instruction ID: 5e540d1e45608fd3c927d7ba2656769c9aeb24df9eefc6ab4257ea5d50a712c5
Opcode Fuzzy Hash: 6f3b99d1c6eeba342e9e7fb125e76ead648ffb48493b092a212f0e3fb3c4416b
Instruction Fuzzy Hash: 4E01C4A5A18682B2D7549B35E98486963B1FBC5F84F849032E64F83B34DF3CD5568704

Function 00007FFB0BC7B9F0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7BA0B
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7BA26
MessageBeep.USER32 ref: 00007FFB0BC7BA33
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7BA3E
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7BA5B

Strings

MessageBeep, xrefs: 00007FFB0BC7BA54
|i:MessageBeep, xrefs: 00007FFB0BC7B9FF

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Thread$Arg_BeepError@@MessageParseRestoreSaveSizeTuple_U_object@@Win_
String ID: MessageBeep$|i:MessageBeep
API String ID: 2382553131-984191393
Opcode ID: c50c3c52b5091adb1786f819b5eddc53f359077fdcbcd07375069b6b31cb52c8
Instruction ID: dcc94b7c125761004478628b450f3f3165344dab212a3e270626f8261d620ceb
Opcode Fuzzy Hash: c50c3c52b5091adb1786f819b5eddc53f359077fdcbcd07375069b6b31cb52c8
Instruction Fuzzy Hash: 250112A5B18A82B2D7649B36E88496963B0FB88B84F849031D64F83B34DF3CD5558704

Function 00007FFB0BC7E050 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7E070
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7E08A
LoadKeyboardLayoutW.USER32 ref: 00007FFB0BC7E09D
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7E0B1
?PyWinLong_FromHANDLE@@YAPEAU_object@@PEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7E0BF

Strings

LoadKeyboardLayout, xrefs: 00007FFB0BC7E0AA
O|k:LoadKeyboardLayout, xrefs: 00007FFB0BC7E05F

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: U_object@@$Arg_Error@@FromKeyboardLayoutLoadLong_Object_ParseSizeTuple_Win_
String ID: LoadKeyboardLayout$O|k:LoadKeyboardLayout
API String ID: 1396079603-2653305174
Opcode ID: bd0712267df5e1c8609372e8510e0bb43f20f7d5284f7f1bd798bbf39287abaf
Instruction ID: f819fac81121e0f82943547be8ac42ef17f5cbe6a746c1151ff2d521db9ac17d
Opcode Fuzzy Hash: bd0712267df5e1c8609372e8510e0bb43f20f7d5284f7f1bd798bbf39287abaf
Instruction Fuzzy Hash: 80012CA1B18983B2EA209B70E854AA66360FBC4B44F809035D94F87E74DE7CD119CB00

Function 00007FFB0BC7BC80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 32threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7BC98
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC7BCAC
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7BCC0
GetWindowLongPtrW.USER32 ref: 00007FFB0BC7BCD2
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7BCDE
?PyWinLong_FromVoidPtr@@YAPEAU_object@@PEBX@Z.PYWINTYPES311 ref: 00007FFB0BC7BCE7

Strings

Oi:GetWindowLong, xrefs: 00007FFB0BC7BC8C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_ThreadU_object@@$Arg_FromLongLong_Object_ParsePtr@@RestoreSaveSizeTuple_VoidWindow
String ID: Oi:GetWindowLong
API String ID: 2053776301-643273479
Opcode ID: c5dd030d9491b4f5308a555adbb38401b0deb61857bbefa988be1dd1c3554b4a
Instruction ID: 23cb5f78a9f7af173386563bd906747c7f907fab373787ba733f408058af2ee2
Opcode Fuzzy Hash: c5dd030d9491b4f5308a555adbb38401b0deb61857bbefa988be1dd1c3554b4a
Instruction Fuzzy Hash: 8201E1A5618AC2B2DA209F61F84486AA361FBC4B90F449032EE8F87F38DF7CD505C704

Function 00007FFB0BC7C5F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 32threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7C603
?PyWinObject_AsWCHAR@@YAHPEAU_object@@PEAPEA_WHPEAK@Z.PYWINTYPES311 ref: 00007FFB0BC7C61D
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7C62C
OutputDebugStringW.KERNEL32 ref: 00007FFB0BC7C63A
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7C643
?PyWinObject_FreeWCHAR@@YAXPEA_W@Z.PYWINTYPES311 ref: 00007FFB0BC7C64E

Strings

O:OutputDebugString, xrefs: 00007FFB0BC7C5FC

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Object_Thread$Arg_DebugFreeOutputParseRestoreSaveSizeStringTuple_U_object@@
String ID: O:OutputDebugString
API String ID: 1374511503-3429311566
Opcode ID: 7da2f7cb3979b47906d5b9182c048e6008f64610103045b1ccf8a23c0755d8ca
Instruction ID: 64a96a9eb724cc6c1c10b36deeadf70ab739a99faaee2c934c92686ebc3ebc99
Opcode Fuzzy Hash: 7da2f7cb3979b47906d5b9182c048e6008f64610103045b1ccf8a23c0755d8ca
Instruction Fuzzy Hash: FF01DAA5A18A83B1EA209B35F8849696370FBC9F85F54A132EA4F87B34CE2CD455C704

Function 00007FFB0BC74860 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 30threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC74873
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC74887
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7489B
SetCursor.USER32 ref: 00007FFB0BC748A9
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC748B5
?PyWinLong_FromHANDLE@@YAPEAU_object@@PEAX@Z.PYWINTYPES311 ref: 00007FFB0BC748BE

Strings

O:SetCursor, xrefs: 00007FFB0BC7486C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_ThreadU_object@@$Arg_CursorFromLong_Object_ParseRestoreSaveSizeTuple_
String ID: O:SetCursor
API String ID: 4286903068-3909396347
Opcode ID: cdb8e9cd6ed7ad4fd1bec1f24b997d2626215a2a4fbfcb06217f550d551bb5b3
Instruction ID: 905f9a24049b648a169305f7b3372c30c683b2ae53ef6ae00a6b15e5b8fbe505
Opcode Fuzzy Hash: cdb8e9cd6ed7ad4fd1bec1f24b997d2626215a2a4fbfcb06217f550d551bb5b3
Instruction Fuzzy Hash: F5F012A5A0DA87B2DA249B21F84496963A0FBC9F81F445031EA4F83B28DF3CD455C744

Function 00007FFB0B2511D0 Relevance: 10.8, APIs: 7, Instructions: 321COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB0B2518A0: PyMem_Malloc.PYTHON311 ref: 00007FFB0B25190B
Part of subcall function 00007FFB0B2518A0: PyType_IsSubtype.PYTHON311 ref: 00007FFB0B2519F5
Part of subcall function 00007FFB0B2518A0: PyType_IsSubtype.PYTHON311 ref: 00007FFB0B251A52

PyMem_Malloc.PYTHON311 ref: 00007FFB0B251252
PyMem_Free.PYTHON311 ref: 00007FFB0B25136E
PyErr_NoMemory.PYTHON311 ref: 00007FFB0B25387A
_Py_Dealloc.PYTHON311 ref: 00007FFB0B253889

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Mem_$MallocSubtypeType_$DeallocErr_FreeMemory
String ID:
API String ID: 4139299733-0
Opcode ID: b618ed634e65c7a0afdbbdfe658f43664214b0bdfe946ac4b4ba603eb4efd133
Instruction ID: d65209f65a1f14237c3f8167de1b632b8489511dbc6d21304d0d148c848c9640
Opcode Fuzzy Hash: b618ed634e65c7a0afdbbdfe658f43664214b0bdfe946ac4b4ba603eb4efd133
Instruction Fuzzy Hash: 96D1DBF2E1CA5381EA24EB34D054EB96BA5FB44781F149131DA9FD66A0EF7CE852C700

Function 00007FFB0A8B8820 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

_PyUnicode_Ready.PYTHON311(?,GenericAlias,00000000,00007FFB0A8B12CE), ref: 00007FFB0A8B88B6
_PyUnicode_Ready.PYTHON311(?,GenericAlias,00000000,00007FFB0A8B12CE), ref: 00007FFB0A8B88CD
memcmp.VCRUNTIME140(?,GenericAlias,00000000,00007FFB0A8B12CE), ref: 00007FFB0A8B8995
PyObject_RichCompare.PYTHON311(?,GenericAlias,00000000,00007FFB0A8B12CE), ref: 00007FFB0A8B89CF
_Py_Dealloc.PYTHON311(?,GenericAlias,00000000,00007FFB0A8B12CE), ref: 00007FFB0A8B89F0

Strings

GenericAlias, xrefs: 00007FFB0A8B8830

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: ReadyUnicode_$CompareDeallocObject_Richmemcmp
String ID: GenericAlias
API String ID: 3230557407-1606616032
Opcode ID: a90afca5314dd3e1192a8a44aa499bcd2ff85b0bdce9d51eac79fc504b67b8c9
Instruction ID: ef057a8f974a8da97254210ac36496ff522b98a7427e81c55ec620ebe1bbb48f
Opcode Fuzzy Hash: a90afca5314dd3e1192a8a44aa499bcd2ff85b0bdce9d51eac79fc504b67b8c9
Instruction Fuzzy Hash: 0451C4A3B287468AEF688A36C550E3927ACEF04BA4F080A75DE5D476D4DF3CF4918301

Function 00007FFB0A8BAE20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

PyTuple_GetSlice.PYTHON311 ref: 00007FFB0A8BAE80
PyTuple_GetItem.PYTHON311 ref: 00007FFB0A8BAE93
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BAEA7
PyErr_Format.PYTHON311 ref: 00007FFB0A8BAEC2

Part of subcall function 00007FFB0A8B9FF0: PyMem_Malloc.PYTHON311 ref: 00007FFB0A8BA042
Part of subcall function 00007FFB0A8B9FF0: PyErr_NoMemory.PYTHON311 ref: 00007FFB0A8BA050

Strings

unbound method %.200S() needs an argument, xrefs: 00007FFB0A8BAEB4

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Err_Tuple_$DeallocFormatItemMallocMem_MemorySlice
String ID: unbound method %.200S() needs an argument
API String ID: 405673786-4171235774
Opcode ID: d41f193f8a5622cd91b969e6d5f807b043b21dd9ba91e78023ba875371bb9922
Instruction ID: cba0ee57dce027460c50f47dbee53887c4285ffd09b7e883aba4653465c47b07
Opcode Fuzzy Hash: d41f193f8a5622cd91b969e6d5f807b043b21dd9ba91e78023ba875371bb9922
Instruction Fuzzy Hash: CA21A6A7A19B4286EA589F36E440DA9E368FB49FD4F084871DE4D07BA5DF3CE0468304

Function 00007FFB0B2542BC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FFB0B2542F7
_PyArg_BadArgument.PYTHON311 ref: 00007FFB0B25432C
_PyUnicode_Ready.PYTHON311 ref: 00007FFB0B25433D

Strings

decimal, xrefs: 00007FFB0B2542F0, 00007FFB0B25431E
argument 1, xrefs: 00007FFB0B254325
a unicode character, xrefs: 00007FFB0B254317

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositionalReadyUnicode_
String ID: a unicode character$argument 1$decimal
API String ID: 3545102714-2474051849
Opcode ID: 37a4153ce9cd5952ba336a7a13e7d13d1a4106d113bef46bdc421c90457116d1
Instruction ID: a4112aba4c759d834c79ff217c9943f5c84e1691616733424a884e48b68c99a7
Opcode Fuzzy Hash: 37a4153ce9cd5952ba336a7a13e7d13d1a4106d113bef46bdc421c90457116d1
Instruction Fuzzy Hash: FE218471A0864395EB50BB21E440D69AB60FB54B88F68C031DA5EC7779CF3CE495C700

Function 00007FFB0B254B40 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FFB0B254B7B
_PyArg_BadArgument.PYTHON311 ref: 00007FFB0B254BB0
_PyUnicode_Ready.PYTHON311 ref: 00007FFB0B254BC1

Strings

argument 1, xrefs: 00007FFB0B254BA9
name, xrefs: 00007FFB0B254B74, 00007FFB0B254BA2
a unicode character, xrefs: 00007FFB0B254B9B

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositionalReadyUnicode_
String ID: a unicode character$argument 1$name
API String ID: 3545102714-4190364640
Opcode ID: dd7e525c6f15f79c0475ece0fbfed555bc2cf029fe1f0485a725b85a65e47b36
Instruction ID: c60d03614df257c4aa3195c30e4b229605207a12fc919db7b32c5512018d3bcc
Opcode Fuzzy Hash: dd7e525c6f15f79c0475ece0fbfed555bc2cf029fe1f0485a725b85a65e47b36
Instruction Fuzzy Hash: 67215071E08A4786EA50FB21E480EA9AB60EB54B84F54C131DA9E87779CF38E995C700

Function 00007FFB0B254C90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FFB0B254CCB
_PyArg_BadArgument.PYTHON311 ref: 00007FFB0B254D00
_PyUnicode_Ready.PYTHON311 ref: 00007FFB0B254D11

Strings

argument 1, xrefs: 00007FFB0B254CF9
numeric, xrefs: 00007FFB0B254CC4, 00007FFB0B254CF2
a unicode character, xrefs: 00007FFB0B254CEB

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositionalReadyUnicode_
String ID: a unicode character$argument 1$numeric
API String ID: 3545102714-2385192657
Opcode ID: 35c9d41c65e7a6057b424292e649dab30af98cc9056b9a63245a5d832090e137
Instruction ID: 4f19ff23e26bd2c45bbd02ba0c53366f3f59973fee1c589bfc5dbdee8af34893
Opcode Fuzzy Hash: 35c9d41c65e7a6057b424292e649dab30af98cc9056b9a63245a5d832090e137
Instruction Fuzzy Hash: 752162B1A08A8785EB50FB22E840D79AB60FB54B84F58C031DA2E87779DF3CE495C700

Function 00007FFB0A8B8EB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Py_EnterRecursiveCall.PYTHON311(?,?,00000000,00007FFB0A8B2DA2), ref: 00007FFB0A8B8EF5

Strings

NULL result without error in PyObject_Call, xrefs: 00007FFB0A8B8F3C
while calling a Python object, xrefs: 00007FFB0A8B8EEE

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: CallEnterRecursive
String ID: while calling a Python object$NULL result without error in PyObject_Call
API String ID: 1136319644-1256585865
Opcode ID: 647695d14461b31d005455b646d4bed7a420022d9b95d7c94807ec8508f473b9
Instruction ID: cc3d02cd16bd46cca05fcec695a3f10a816e1412cf290d4cbd98cdded78171c6
Opcode Fuzzy Hash: 647695d14461b31d005455b646d4bed7a420022d9b95d7c94807ec8508f473b9
Instruction Fuzzy Hash: 5A112462B29B5281EB548B26F840D696368FB48FC4F4854B1EE4D577A5DE3CE4818B00

Function 00007FFB0A8B8FE0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

Py_EnterRecursiveCall.PYTHON311 ref: 00007FFB0A8B900F
Py_LeaveRecursiveCall.PYTHON311 ref: 00007FFB0A8B9036
PyErr_Occurred.PYTHON311 ref: 00007FFB0A8B9041
PyErr_SetString.PYTHON311 ref: 00007FFB0A8B905D

Strings

NULL result without error in PyObject_Call, xrefs: 00007FFB0A8B9053
while calling a Python object, xrefs: 00007FFB0A8B9008

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: CallErr_Recursive$EnterLeaveOccurredString
String ID: while calling a Python object$NULL result without error in PyObject_Call
API String ID: 1825350209-1256585865
Opcode ID: 74ad50c0eaf89a1a26d071ac2c0318fcfe7efa3452e9185c7366b407fcc63e95
Instruction ID: 69e54b348f9167f563775434c94e82a23b90eb4e2120fc56dce7e7af35e557f6
Opcode Fuzzy Hash: 74ad50c0eaf89a1a26d071ac2c0318fcfe7efa3452e9185c7366b407fcc63e95
Instruction Fuzzy Hash: B3113CA2B28B4281EA448B66E484D696768FB88F84F0858B5DA0D077E5DF2CE486C700

Function 00007FFB0BC7C3C0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41timeCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7C3E2
?PyWinObject_AsSYSTEMTIME@@YAHPEAU_object@@PEAU_SYSTEMTIME@@@Z.PYWINTYPES311 ref: 00007FFB0BC7C3F6
SetLocalTime.KERNEL32 ref: 00007FFB0BC7C405
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7C418

Strings

O:SetLocalTime, xrefs: 00007FFB0BC7C3DB
SetLocalTime, xrefs: 00007FFB0BC7C411

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: U_object@@$Arg_E@@@Error@@LocalObject_ParseSizeTimeTuple_Win_
String ID: O:SetLocalTime$SetLocalTime
API String ID: 3893343346-2636629638
Opcode ID: 7e650b6e260417c7af58f682bcd3345ccf601eefbec0bc51cbef0b9fa5a7c236
Instruction ID: 8dfee51d8702ddd3ef7436ed0733dbd7e9e3636391d7ea7862018611c25bc1ec
Opcode Fuzzy Hash: 7e650b6e260417c7af58f682bcd3345ccf601eefbec0bc51cbef0b9fa5a7c236
Instruction Fuzzy Hash: 091130E5A18A42B1EA609B31E85157633A0FFC4B94F84A032E94FC2A75DE2CE1458700

Function 00007FFB0BC73E20 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC73E3D
GetComputerNameW.KERNEL32 ref: 00007FFB0BC73E6D
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC73E80

Strings

:GetComputerName, xrefs: 00007FFB0BC73E36
GetComputerName, xrefs: 00007FFB0BC73E79

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_ComputerError@@NameParseSizeTuple_U_object@@Win_
String ID: :GetComputerName$GetComputerName
API String ID: 623364131-2709991892
Opcode ID: 280b0e7004ed8a59334adae9d7e8aa7cb03dee0b7fcb53862baee29878babbd3
Instruction ID: f1a9e91ba9f36445ac8c80291e03d26e2c0b9481b87f84c65a51da1afb98f557
Opcode Fuzzy Hash: 280b0e7004ed8a59334adae9d7e8aa7cb03dee0b7fcb53862baee29878babbd3
Instruction Fuzzy Hash: 980148A5A08986B2FB70DB34E85557533A1FFC9B44F819131D54FC2A35DE2CD1468B00

Function 00007FFB0BC7DE90 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7DEAD
GetKeyboardLayoutNameW.USER32 ref: 00007FFB0BC7DED0
?PyWin_SetAPIError@@YAPEAU_object@@PEADJ@Z.PYWINTYPES311 ref: 00007FFB0BC7DEE3

Strings

:GetKeyboardLayoutName, xrefs: 00007FFB0BC7DEA6
GetKeyboardLayoutNameW, xrefs: 00007FFB0BC7DEDC

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_Error@@KeyboardLayoutNameParseSizeTuple_U_object@@Win_
String ID: :GetKeyboardLayoutName$GetKeyboardLayoutNameW
API String ID: 1235333976-3230485078
Opcode ID: 3db735f447fe768d9fa0969e9cedc3f7b497d0dcffaf8f8f68293c374d0530f6
Instruction ID: db74c5fa4ce110b10e2f97d0cbcceaa65b497a20a6389f862664b5399e2ba7a6
Opcode Fuzzy Hash: 3db735f447fe768d9fa0969e9cedc3f7b497d0dcffaf8f8f68293c374d0530f6
Instruction Fuzzy Hash: 920167E5F18582B5FBA09730EC6157523A0FFD4B94F81A035E54FC1A35DE2CE1498600

Function 00007FFB0BC77C60 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC77C83
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC77CAF
GetWindowsDirectoryW.KERNEL32 ref: 00007FFB0BC77CC2
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC77CCB
?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W@Z.PYWINTYPES311 ref: 00007FFB0BC77CD6

Strings

:GetWindowsDirectory, xrefs: 00007FFB0BC77C7C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Thread$Arg_DirectoryFromObject_ParseRestoreSaveSizeTuple_U_object@@Windows
String ID: :GetWindowsDirectory
API String ID: 2481606296-2340468556
Opcode ID: e6efa6f28dcf89c35857c1638963f9a058019d1ad2141ba367632dcfa2071e67
Instruction ID: 7d8852c3e30122a53f30894411607d9da84f9889e41473b37d72c79253d9a8cf
Opcode Fuzzy Hash: e6efa6f28dcf89c35857c1638963f9a058019d1ad2141ba367632dcfa2071e67
Instruction Fuzzy Hash: E401F4A5A18AC2B1EB709B31F8A977963A0FBD8B44F855131D94F82B65DF3CD1058610

Function 00007FFB0BC7B560 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 29threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7B580
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7B59B
SleepEx.KERNEL32 ref: 00007FFB0BC7B5AC
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7B5B7
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7B5C6

Strings

i|i:Sleep, xrefs: 00007FFB0BC7B56F

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_SizeThread$Arg_BuildParseRestoreSaveSleepTuple_Value_
String ID: i|i:Sleep
API String ID: 225769103-1579782342
Opcode ID: 5066efa574fa354837e8e00c7fddbba157a9bb09a2410ea4970b84a860f92e89
Instruction ID: 26e91b600e4a26f12529472dd1ff0a71b89a7a6583d40baa5629de179578a209
Opcode Fuzzy Hash: 5066efa574fa354837e8e00c7fddbba157a9bb09a2410ea4970b84a860f92e89
Instruction Fuzzy Hash: 87F012A5A18A82B3D7149B21F84496973B1FBC8B81F905031E68E83B38DF3CD545CB00

Function 00007FFB0BC72F60 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC72F73
?PyWinObject_AsHANDLE@@YAHPEAU_object@@PEAPEAX@Z.PYWINTYPES311 ref: 00007FFB0BC72F87
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC72F96
DragFinish.SHELL32 ref: 00007FFB0BC72FA4
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC72FAD

Strings

O:DragFinish, xrefs: 00007FFB0BC72F6C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_Thread$Arg_DragFinishObject_ParseRestoreSaveSizeTuple_U_object@@
String ID: O:DragFinish
API String ID: 2260391358-2115251260
Opcode ID: 34ae116de491c5d2cd38dfec3cee6affe17396f9c6cca82dd423ce0e4bcb4e9f
Instruction ID: f0d5c414005c3b6871feb8bd94187a54f900bd835a2b44b90b13f197309d48b9
Opcode Fuzzy Hash: 34ae116de491c5d2cd38dfec3cee6affe17396f9c6cca82dd423ce0e4bcb4e9f
Instruction Fuzzy Hash: F7F0E1A5A09A83B1DA249B35FC445656370FBC5F81F44A032EA4F87B34DE3CD555C714

Function 00007FFB0BC74E40 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 26threadkeyboardCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC74E53
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC74E6E
GetKeyState.USER32 ref: 00007FFB0BC74E7B
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC74E87
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC74E96

Strings

i:GetKeyState, xrefs: 00007FFB0BC74E4C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_SizeThread$Arg_BuildParseRestoreSaveStateTuple_Value_
String ID: i:GetKeyState
API String ID: 1084881646-953873090
Opcode ID: a84ebbb404445481774a50b913c49f9b81cbe9bea6472ff8b41a2be360f7daab
Instruction ID: 71980bb1c73442eadfa869ab86e52c449ed895701b09ef16083f3f7da7ffa31d
Opcode Fuzzy Hash: a84ebbb404445481774a50b913c49f9b81cbe9bea6472ff8b41a2be360f7daab
Instruction Fuzzy Hash: 2AF012A5E18B82B2DA249B21F99487963A1FBC8B81F449032E94F83B34DF3CD515C704

Function 00007FFB0BC7B320 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 26threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7B333
PyEval_SaveThread.PYTHON311 ref: 00007FFB0BC7B34E
ShowCursor.USER32 ref: 00007FFB0BC7B35B
PyEval_RestoreThread.PYTHON311 ref: 00007FFB0BC7B366
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7B375

Strings

i:ShowCursor, xrefs: 00007FFB0BC7B32C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Eval_SizeThread$Arg_BuildCursorParseRestoreSaveShowTuple_Value_
String ID: i:ShowCursor
API String ID: 20086345-3798339376
Opcode ID: a96c7f501431654baedb29c421e47356ffc9660d770d6f45b7b312f262e0a1d2
Instruction ID: 3b244dbb548b79b3abd54387c176dca41d7e4b4baaece955b092a87e841e6135
Opcode Fuzzy Hash: a96c7f501431654baedb29c421e47356ffc9660d770d6f45b7b312f262e0a1d2
Instruction Fuzzy Hash: 64F0B2A5A18682B3D7249B71F95486963A1FBC8B85F449032E94F83B24DF3CD555C704

Function 00007FFB0BC7E5F0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 19COMMON

Download Yara Rule

APIs

PyLong_FromUnsignedLong.PYTHON311 ref: 00007FFB0BC7E600
PyLong_FromUnsignedLong.PYTHON311 ref: 00007FFB0BC7E60B
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7E62E

Strings

Granularity, xrefs: 00007FFB0BC7E620
Capacity, xrefs: 00007FFB0BC7E611
{s:N, s:N}, xrefs: 00007FFB0BC7E627

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: FromLongLong_Unsigned$BuildSizeValue_
String ID: Capacity$Granularity${s:N, s:N}
API String ID: 2262696651-1405704946
Opcode ID: f79f8a21a8c3f1199fda296002cc85e6112f1c8f019be435879d901815fabf49
Instruction ID: 02d52770aede9abb3231104b8594eff17c87f9eaf25c704c62c6070a6bac07b5
Opcode Fuzzy Hash: f79f8a21a8c3f1199fda296002cc85e6112f1c8f019be435879d901815fabf49
Instruction Fuzzy Hash: 31E030B5A08682B2E6108B20F84486473B1FB89B84B449135DA4E47B38CF3CD559C744

Function 00007FFB0A8B9430 Relevance: 9.1, APIs: 6, Instructions: 81threadCOMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311(?,?,00000000,00007FFB0A8B1CBA), ref: 00007FFB0A8B945A
PyObject_GetAttr.PYTHON311(?,?,00000000,00007FFB0A8B1CBA), ref: 00007FFB0A8B9479
_PyThreadState_UncheckedGet.PYTHON311(?,?,00000000,00007FFB0A8B1CBA), ref: 00007FFB0A8B948D
_Py_Dealloc.PYTHON311(?,?,00000000,00007FFB0A8B1CBA), ref: 00007FFB0A8B950B
_Py_Dealloc.PYTHON311(?,?,00000000,00007FFB0A8B1CBA), ref: 00007FFB0A8B951F
_Py_Dealloc.PYTHON311(?,?,00000000,00007FFB0A8B1CBA), ref: 00007FFB0A8B9538

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dealloc$AttrErr_Object_OccurredState_ThreadUnchecked
String ID:
API String ID: 937921832-0
Opcode ID: 5ff41e666bfabb8ea78530396af7270c18ace6a868cb913b4130599f613ccdbc
Instruction ID: e7a2b88e8ab823f567268d11668059e65fd2aee3bcecd2a57c32c22c4c3eda90
Opcode Fuzzy Hash: 5ff41e666bfabb8ea78530396af7270c18ace6a868cb913b4130599f613ccdbc
Instruction Fuzzy Hash: 6E313E73A29B4189EA949B35E544E7973A8FF48B94F1848B1DB4D03B99DF2CE4858700

Function 00007FFB0A8BA7D0 Relevance: 9.1, APIs: 6, Instructions: 74COMMON

Download Yara Rule

APIs

PyList_New.PYTHON311 ref: 00007FFB0A8BA824
PyImport_ImportModuleLevelObject.PYTHON311 ref: 00007FFB0A8BA85F
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BA871
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BA8AC
PyErr_Clear.PYTHON311 ref: 00007FFB0A8BA8BE

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dealloc$ClearErr_ImportImport_LevelList_ModuleObject
String ID:
API String ID: 449435975-0
Opcode ID: 934ca50ba5b5f2a5d30835abc6d4f3a242d8978385c53571ba11e3d1472fbd9f
Instruction ID: 4f15c919a716c948b08ca7920a1fb9e692a117b9042e51cc2a101bf41f3009e2
Opcode Fuzzy Hash: 934ca50ba5b5f2a5d30835abc6d4f3a242d8978385c53571ba11e3d1472fbd9f
Instruction Fuzzy Hash: 2331F9A6A29B8585EA588B25D444E68B368FB48FD8F484875CE4D07BB4DF3DE096C300

Function 00007FFB0BC793DD Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

PyList_New.PYTHON311 ref: 00007FFB0BC793DF
?PyWinObject_FromOLECHAR@@YAPEAU_object@@PEB_W_J@Z.PYWINTYPES311 ref: 00007FFB0BC79438
PyList_Append.PYTHON311 ref: 00007FFB0BC7944C
_Py_Dealloc.PYTHON311 ref: 00007FFB0BC79466
_Py_Dealloc.PYTHON311 ref: 00007FFB0BC79492
_Py_Dealloc.PYTHON311 ref: 00007FFB0BC794A1

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Dealloc$List_$AppendFromObject_U_object@@
String ID:
API String ID: 3586728721-0
Opcode ID: fab762b0aa151108a8c320eb0e4bae6c921abe7c3c43f8ba7404dc81ee37bc71
Instruction ID: aa495164f26a33d6ee62add7d88c0811e21ab8032de6c39069d7d6cdf7ae79c0
Opcode Fuzzy Hash: fab762b0aa151108a8c320eb0e4bae6c921abe7c3c43f8ba7404dc81ee37bc71
Instruction Fuzzy Hash: 21218EB5A49696B2EE748B35D60457962A1AF44F90B28D030DF0F86FB0DF7CE4518314

Function 00007FFB0A8B1140 Relevance: 9.1, APIs: 6, Instructions: 65threadCOMMON

Download Yara Rule

APIs

PyThreadState_EnterTracing.PYTHON311 ref: 00007FFB0A8B117B
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B11AA
PyThreadState_LeaveTracing.PYTHON311 ref: 00007FFB0A8B11B3
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B11DC
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B11F0
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B1204

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dealloc$State_ThreadTracing$EnterLeave
String ID:
API String ID: 1034536359-0
Opcode ID: ace7055a493e287ff6b85973d70c6f12c51fc3f6a7748d536cad7ab6593ba87d
Instruction ID: 462e9bb4cfe26cb24fc95953f92c8dba80c79146135aa371bdce696880613c9d
Opcode Fuzzy Hash: ace7055a493e287ff6b85973d70c6f12c51fc3f6a7748d536cad7ab6593ba87d
Instruction Fuzzy Hash: AA212877A18F0181EB549F76E95892973A8FB49F94B180A71CE8C07BA4DF39D452C300

Function 00007FFB0A8BB1C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

_PyObject_GC_New.PYTHON311(?,?,00000001,00007FFB0A8B7C74), ref: 00007FFB0A8BB1E7
PyErr_SetString.PYTHON311(?,?,00000001,00007FFB0A8B7C74), ref: 00007FFB0A8BB2C5
_Py_Dealloc.PYTHON311(?,?,00000001,00007FFB0A8B7C74), ref: 00007FFB0A8BB2D4

Strings

Bad call flags for CyFunction, xrefs: 00007FFB0A8BB2BB

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: DeallocErr_Object_String
String ID: Bad call flags for CyFunction
API String ID: 3982460303-676335653
Opcode ID: cf8055269c17c7cc4816fc7080c34a3a715cd45f6117b6afde68d955388dfd52
Instruction ID: 567f18d126114d5b049625581886e897de3ffc24fef1deff9bdee9420c5dd480
Opcode Fuzzy Hash: cf8055269c17c7cc4816fc7080c34a3a715cd45f6117b6afde68d955388dfd52
Instruction Fuzzy Hash: 2641F473A18B4185E7548F36E944A68B3ECFB98B84F58497ADA8D477E8CF38E451C300

Function 00007FFB0A8B55F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68threadCOMMON

Download Yara Rule

APIs

PyThreadState_Get.PYTHON311 ref: 00007FFB0A8B5611
PyObject_GetAttr.PYTHON311 ref: 00007FFB0A8B568F

Part of subcall function 00007FFB0A8B8D20: PyCode_NewEmpty.PYTHON311 ref: 00007FFB0A8B8D49
Part of subcall function 00007FFB0A8B8D20: PyFrame_New.PYTHON311 ref: 00007FFB0A8B8D6E

_PyThreadState_UncheckedGet.PYTHON311 ref: 00007FFB0A8B56D2

Strings

propcache._helpers_c.under_cached_property.__doc__.__get__, xrefs: 00007FFB0A8B56AB
__get__, xrefs: 00007FFB0A8B5635

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: State_Thread$AttrCode_EmptyFrame_Object_Unchecked
String ID: __get__$propcache._helpers_c.under_cached_property.__doc__.__get__
API String ID: 2055549261-1710411029
Opcode ID: d4d18c52ee02bfe9eaa49a97599bebd1b550c37d52d3fb5dba8dbd2f56bb29b4
Instruction ID: 9eb1bb09c6839165b381067debe81828acb8422417e3066bd6bba6b50503294e
Opcode Fuzzy Hash: d4d18c52ee02bfe9eaa49a97599bebd1b550c37d52d3fb5dba8dbd2f56bb29b4
Instruction Fuzzy Hash: 3031B3B3A18B8286EB549F61E440DB967A8FB46B90F080876DE4E077D5CF3CE440C740

Function 00007FFB0A8B5710 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68threadCOMMON

Download Yara Rule

APIs

PyThreadState_Get.PYTHON311 ref: 00007FFB0A8B5731
PyObject_GetAttr.PYTHON311 ref: 00007FFB0A8B57AF

Part of subcall function 00007FFB0A8B8D20: PyCode_NewEmpty.PYTHON311 ref: 00007FFB0A8B8D49
Part of subcall function 00007FFB0A8B8D20: PyFrame_New.PYTHON311 ref: 00007FFB0A8B8D6E

_PyThreadState_UncheckedGet.PYTHON311 ref: 00007FFB0A8B57F2

Strings

propcache._helpers_c.cached_property.__doc__.__get__, xrefs: 00007FFB0A8B57CB
__get__, xrefs: 00007FFB0A8B5755

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: State_Thread$AttrCode_EmptyFrame_Object_Unchecked
String ID: __get__$propcache._helpers_c.cached_property.__doc__.__get__
API String ID: 2055549261-3374295614
Opcode ID: 0df737c52c2741b48b54ccd5f1fbf7034e55461fba33eda37904f2c86c1ea994
Instruction ID: 0e09731150a568082e7e522b1c4dd86875baa87f15aeac714785105cad8b7042
Opcode Fuzzy Hash: 0df737c52c2741b48b54ccd5f1fbf7034e55461fba33eda37904f2c86c1ea994
Instruction Fuzzy Hash: 1C31C4B7A28B82C5EB509F62E440DB963A8FB48B90F1808B6DE4E037D5DF3CE4418740

Function 00007FFB0BC715E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0BC71628

Strings

DISPLAY_DEVICE structure of size %d greater than supported size of %d, xrefs: 00007FFB0BC71618

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Err_Format
String ID: DISPLAY_DEVICE structure of size %d greater than supported size of %d
API String ID: 376477240-1267491859
Opcode ID: 9883ced093925fec77f5cc9392efa2d18df25d11b23bcf84a073d086facd7b52
Instruction ID: 6ce7a04a986c3ccc8ae2771be05aead1dd88b68a98e1e54e248d2e52daf14b7d
Opcode Fuzzy Hash: 9883ced093925fec77f5cc9392efa2d18df25d11b23bcf84a073d086facd7b52
Instruction Fuzzy Hash: CF1172B1B08A41B2EA659B36F644A7963B4FF85B80F489031DA4F87F74DF2CE5918700

Function 00007FFB0B254D58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON311 ref: 00007FFB0B254D84
_PyUnicode_ToNumeric.PYTHON311 ref: 00007FFB0B254DB7
PyErr_SetString.PYTHON311 ref: 00007FFB0B254DDF
PyFloat_FromDouble.PYTHON311 ref: 00007FFB0B254DF1

Strings

not a numeric character, xrefs: 00007FFB0B254DD5

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: DoubleErr_Float_FromNumericStringSubtypeType_Unicode_
String ID: not a numeric character
API String ID: 1034370217-2058156748
Opcode ID: e94a4cbcbf0e5bcd60c879edbbe527308af40d50addda8a0dc073dd71fed3554
Instruction ID: 8fe225ff92dc3bcde19948b8ece01a44c919712a49ed1bf0c9e3a3fc6ddb7a18
Opcode Fuzzy Hash: e94a4cbcbf0e5bcd60c879edbbe527308af40d50addda8a0dc073dd71fed3554
Instruction Fuzzy Hash: 26116DE1A0A95791FA55BB35E460D39ABA1AF54B84F14C131CA2FC6778DF3CE8C58A00

Function 00007FFB0A8BAFD0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0A8BB00E
PyErr_Format.PYTHON311 ref: 00007FFB0A8BB06E

Strings

%.200s() needs an argument, xrefs: 00007FFB0A8BAFFA
%.200s() takes exactly one argument (%zd given), xrefs: 00007FFB0A8BB05E
%.200s() takes no keyword arguments, xrefs: 00007FFB0A8BB02D

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Err_Format
String ID: %.200s() needs an argument$%.200s() takes exactly one argument (%zd given)$%.200s() takes no keyword arguments
API String ID: 376477240-2104551967
Opcode ID: 5f4a4c176f088b11ffc5dc9a3830f8794dc0837c65bea0c9c081546036d42294
Instruction ID: 72d886d35bd17791695263928c9c943e66b0025d4ab825c7cfcd459bd7d65134
Opcode Fuzzy Hash: 5f4a4c176f088b11ffc5dc9a3830f8794dc0837c65bea0c9c081546036d42294
Instruction Fuzzy Hash: 501163E3E28B42C5EA148776C458EB823A4FB49B94F909A71C93D473D0DE2DE586C301

Function 00007FFB0A8BAF20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 48COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFB0A8BAF5E
PyErr_Format.PYTHON311 ref: 00007FFB0A8BAFB9

Strings

%.200s() takes no arguments (%zd given), xrefs: 00007FFB0A8BAFA9
%.200s() needs an argument, xrefs: 00007FFB0A8BAF4A
%.200s() takes no keyword arguments, xrefs: 00007FFB0A8BAF7D

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Err_Format
String ID: %.200s() needs an argument$%.200s() takes no arguments (%zd given)$%.200s() takes no keyword arguments
API String ID: 376477240-218619306
Opcode ID: 54bd0c5385456ddffced078fae3ca7f56af74b7a15c25d0b66b98564708c16c5
Instruction ID: 7968610d672b4c792c81b1004278d2080fa4c09761287e32cdf85f06999dd535
Opcode Fuzzy Hash: 54bd0c5385456ddffced078fae3ca7f56af74b7a15c25d0b66b98564708c16c5
Instruction Fuzzy Hash: 8F1160E3A29B4286EA588B75C444EF853A8AB45BE4F905A72C92E473D0DE2DE5858300

Function 00007FFB0B254384 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON311 ref: 00007FFB0B2543B0
_PyUnicode_ToDecimalDigit.PYTHON311 ref: 00007FFB0B2543CF
PyErr_SetString.PYTHON311 ref: 00007FFB0B2543EF
PyLong_FromLong.PYTHON311 ref: 00007FFB0B254403

Strings

not a decimal, xrefs: 00007FFB0B2543E5

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: DecimalDigitErr_FromLongLong_StringSubtypeType_Unicode_
String ID: not a decimal
API String ID: 3750391552-3590249192
Opcode ID: 1cd0ce8ce41aec67d618eaf50ce9a381a57b186b45043069d79b570d0f92dffd
Instruction ID: 091b7ca4e7ba516b0f65465026a6bf58a591f531143394f766b87d3cbfe33e11
Opcode Fuzzy Hash: 1cd0ce8ce41aec67d618eaf50ce9a381a57b186b45043069d79b570d0f92dffd
Instruction Fuzzy Hash: F61182A1A08A4791EA047B31E464E3CAA90AF54B84F54C430D91FC6778DF3CF4818301

Function 00007FFB0A8BA4B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

PyErr_WarnEx.PYTHON311 ref: 00007FFB0A8BA4E3
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BA505
PyErr_SetString.PYTHON311 ref: 00007FFB0A8BA542

Strings

__defaults__ must be set to a tuple object, xrefs: 00007FFB0A8BA538
changes to cyfunction.__defaults__ will not currently affect the values used in function calls, xrefs: 00007FFB0A8BA4D3

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Err_$DeallocStringWarn
String ID: __defaults__ must be set to a tuple object$changes to cyfunction.__defaults__ will not currently affect the values used in function calls
API String ID: 583392104-3345406849
Opcode ID: d164fd607ce9e848333ebc873c381b8dc15b8a3facdf66e54c386645e862166b
Instruction ID: 7137c0fd23baf989a635480131ed76f8b2246249c2288be183490a98a3138e26
Opcode Fuzzy Hash: d164fd607ce9e848333ebc873c381b8dc15b8a3facdf66e54c386645e862166b
Instruction Fuzzy Hash: 2C1173F3B28B4295EA58CB35E480E796364FF48B94F049871DA5D072E5DE2CE4948300

Function 00007FFB0A8BA5E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

PyErr_WarnEx.PYTHON311 ref: 00007FFB0A8BA613
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BA635
PyErr_SetString.PYTHON311 ref: 00007FFB0A8BA672

Strings

changes to cyfunction.__kwdefaults__ will not currently affect the values used in function calls, xrefs: 00007FFB0A8BA603
__kwdefaults__ must be set to a dict object, xrefs: 00007FFB0A8BA668

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Err_$DeallocStringWarn
String ID: __kwdefaults__ must be set to a dict object$changes to cyfunction.__kwdefaults__ will not currently affect the values used in function calls
API String ID: 583392104-738974641
Opcode ID: 6a25a11ebee66b5ef7e5455e93b9700098277c91394714441da69f6143329ade
Instruction ID: 6d1d5351e8145364e4c570f4efca5f86c5b2f94e452006432e40e00e8da27a73
Opcode Fuzzy Hash: 6a25a11ebee66b5ef7e5455e93b9700098277c91394714441da69f6143329ade
Instruction Fuzzy Hash: C0115EF7B28B4296EA488B39E580E756368FF49B90F085971DA5D072E4DF2CE4958700

Function 00007FFB0B2546E8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON311 ref: 00007FFB0B254721
_PyUnicode_Ready.PYTHON311 ref: 00007FFB0B254734

Strings

east_asian_width, xrefs: 00007FFB0B25471A
argument, xrefs: 00007FFB0B254713
a unicode character, xrefs: 00007FFB0B25470C

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Arg_ArgumentReadyUnicode_
String ID: a unicode character$argument$east_asian_width
API String ID: 1875788646-3913127203
Opcode ID: 1cd4da9dc117a34be79d860a1371cb1431d82210e1bfc1e6159635a71f123b29
Instruction ID: 15d791910d9bc68df641daf196234cd62c50c8f7c0560eb1e8f72f60d2312d91
Opcode Fuzzy Hash: 1cd4da9dc117a34be79d860a1371cb1431d82210e1bfc1e6159635a71f123b29
Instruction Fuzzy Hash: 0F01A2E0A0864386EA54FB31E940EB46B60AF06B94F54D031D92F863B8DF3CD4C58300

Function 00007FFB0B25441C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON311 ref: 00007FFB0B254455
_PyUnicode_Ready.PYTHON311 ref: 00007FFB0B254468

Strings

argument, xrefs: 00007FFB0B254447
a unicode character, xrefs: 00007FFB0B254440
decomposition, xrefs: 00007FFB0B25444E

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Arg_ArgumentReadyUnicode_
String ID: a unicode character$argument$decomposition
API String ID: 1875788646-2471543666
Opcode ID: 8e092fff27016ad70a75c21de804b5fd7f142a4693611c384d04bc395b3b3e7a
Instruction ID: e246fe85a5712077d832283a3704561ed62b4445ac222d83bc801c2e2fe3a06c
Opcode Fuzzy Hash: 8e092fff27016ad70a75c21de804b5fd7f142a4693611c384d04bc395b3b3e7a
Instruction Fuzzy Hash: D401A2E0A0868346EA54FB31E850EB46B60BF05B94F54D031D96F863B8DF3CE4C58300

Function 00007FFB0B252620 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON311(?,?,00000000,00007FFB0B252565), ref: 00007FFB0B25262B
PyCapsule_New.PYTHON311(?,?,00000000,00007FFB0B252565), ref: 00007FFB0B252668
PyErr_NoMemory.PYTHON311(?,?,00000000,00007FFB0B252565), ref: 00007FFB0B253EF6
PyMem_Free.PYTHON311(?,?,00000000,00007FFB0B252565), ref: 00007FFB0B253F06

Strings

unicodedata._ucnhash_CAPI, xrefs: 00007FFB0B25265D

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Mem_$Capsule_Err_FreeMallocMemory
String ID: unicodedata._ucnhash_CAPI
API String ID: 3673501854-3989975041
Opcode ID: 9c8937bca7593cf83dc6e6686b6a5b89807f230b44c95862bfa962c91a770e15
Instruction ID: 485468d2470447bba0dd04082bf891fa30af1869f1ddd5ef6d04d77d0d4ac621
Opcode Fuzzy Hash: 9c8937bca7593cf83dc6e6686b6a5b89807f230b44c95862bfa962c91a770e15
Instruction Fuzzy Hash: 8FF049A0A09B43D1EB01AB35E810E786BA4BF18B85F48D031D84F863B4EF3CE454C350

Function 00007FFB0A8B9930 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311(?,?,?,?,00007FFB0A8B43C3), ref: 00007FFB0A8B9955
PyErr_Clear.PYTHON311(?,?,?,?,00007FFB0A8B43C3), ref: 00007FFB0A8B9988

Strings

hasattr(): attribute name must be string, xrefs: 00007FFB0A8B994B

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Err_$ClearString
String ID: hasattr(): attribute name must be string
API String ID: 4117321295-3811411314
Opcode ID: cd024c434f0620fd5b0d16edd3e179d931ce8bc187243a4fb9381389a88071bd
Instruction ID: 076d85690530fab72348638e7c19c2a0460364b07acb83127ea5dd152cd66e87
Opcode Fuzzy Hash: cd024c434f0620fd5b0d16edd3e179d931ce8bc187243a4fb9381389a88071bd
Instruction Fuzzy Hash: BEF0AFA6F29B4285EA449B35D840F7833A8FF89F60F8448B0CA0D033E0DF2DA4858701

Function 00007FFB0A8B86A0 Relevance: 7.6, APIs: 5, Instructions: 69threadCOMMON

Download Yara Rule

APIs

_PyThreadState_UncheckedGet.PYTHON311(?,?,?,?,00007FFB0A8BB4C5,?,?,?,?,00000C70,?,00007FFB0A8BB673), ref: 00007FFB0A8B86F2
_Py_Dealloc.PYTHON311(?,?,?,?,00007FFB0A8BB4C5,?,?,?,?,00000C70,?,00007FFB0A8BB673), ref: 00007FFB0A8B8767
_Py_Dealloc.PYTHON311(?,?,?,?,00007FFB0A8BB4C5,?,?,?,?,00000C70,?,00007FFB0A8BB673), ref: 00007FFB0A8B877B
_Py_Dealloc.PYTHON311(?,?,?,?,00007FFB0A8BB4C5,?,?,?,?,00000C70,?,00007FFB0A8BB673), ref: 00007FFB0A8B8794

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Dealloc$State_ThreadUnchecked
String ID:
API String ID: 3754167505-0
Opcode ID: c65e61722399b57673a216dd3f0dd8335f2ae3a3a6715cdec02b8255beb8de01
Instruction ID: e5c5f9e283d88169cf801fdbd41dca71f90d8322350e31077b89678237d64f83
Opcode Fuzzy Hash: c65e61722399b57673a216dd3f0dd8335f2ae3a3a6715cdec02b8255beb8de01
Instruction Fuzzy Hash: 463132B7A29B4185EA659B31E544E7963ACFF49B94F1848B5DB8D037D0DF3DE4408700

Function 00007FFB0A8B5320 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

PyObject_GC_IsFinalized.PYTHON311 ref: 00007FFB0A8B5337
PyObject_CallFinalizerFromDealloc.PYTHON311 ref: 00007FFB0A8B5355
PyObject_GC_UnTrack.PYTHON311 ref: 00007FFB0A8B5362
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B537F
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B539C

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: DeallocObject_$CallFinalizedFinalizerFromTrack
String ID:
API String ID: 1245619278-0
Opcode ID: e85126e8d4c3bb4b73e600a1bcfa3d5d7d1c35a899386f64b1dcfbf79480567c
Instruction ID: 5ec37ee2c82ab2e29255610ecbbeb3cd541a8886084c92ebd725cd14448c8825
Opcode Fuzzy Hash: e85126e8d4c3bb4b73e600a1bcfa3d5d7d1c35a899386f64b1dcfbf79480567c
Instruction Fuzzy Hash: 5111E8A3A25B4681EB5C8F72D844F3823A8EB59F58F0848B4CE1E463D0DF7DE5948340

Function 00007FFB0B251EF0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311(?,?,?,?,?,00007FFB0B251EDC), ref: 00007FFB0B253B6F

Part of subcall function 00007FFB0B251FD0: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB0B252008
Part of subcall function 00007FFB0B251FD0: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB0B252026

PyErr_Format.PYTHON311 ref: 00007FFB0B251F53

Strings

name too long, xrefs: 00007FFB0B253B65
undefined character name '%s', xrefs: 00007FFB0B251F46

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Err_strncmp$FormatString
String ID: name too long$undefined character name '%s'
API String ID: 3882229318-4056717002
Opcode ID: 8b8c9c862c8556266a26c0415d30d38fd4fd6db163ae40366dde064f1277ed55
Instruction ID: f29791274c66b032d21f8f1d1f27ac81ca324aa692155c390ab327afea2b2299
Opcode Fuzzy Hash: 8b8c9c862c8556266a26c0415d30d38fd4fd6db163ae40366dde064f1277ed55
Instruction Fuzzy Hash: 34110DB6A18A47D6EB00AB24D894EB46B60FB98749F908431CA0FC6274DF7DE54AC700

Function 00007FFB0BC71560 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FFB0BC71594
PyErr_SetString.PYTHON311 ref: 00007FFB0BC715BF

Strings

Object must be a PyDISPLAY_DEVICE, xrefs: 00007FFB0BC715B5
PyDISPLAY_DEVICE cannot be None in this context, xrefs: 00007FFB0BC7158A

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Err_String
String ID: Object must be a PyDISPLAY_DEVICE$PyDISPLAY_DEVICE cannot be None in this context
API String ID: 1450464846-405748036
Opcode ID: 5a1d97b5285f2e7c9742bebc4069ac4d7deae146b770ba5b065e3163082c6af0
Instruction ID: aca84bd6b4015154e84bb17a618ab6e8e17c31cd4873d5131e50f1a29c84547c
Opcode Fuzzy Hash: 5a1d97b5285f2e7c9742bebc4069ac4d7deae146b770ba5b065e3163082c6af0
Instruction Fuzzy Hash: 6701F6E5E05A43B1EB659B35D890B6423B0FB88B04FD4E031D90FC2A70DE6DD59AC704

Function 00007FFB0A8BA3F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FFB0A8BA40D
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BA44C

Strings

setting function's dictionary to a non-dict, xrefs: 00007FFB0A8BA42D
function's dictionary may not be deleted, xrefs: 00007FFB0A8BA3FC

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: DeallocErr_String
String ID: function's dictionary may not be deleted$setting function's dictionary to a non-dict
API String ID: 1259552197-2577330722
Opcode ID: b36b37b1353b715cdb40129da16c47b858c848e050c02d0135a77d0003af71be
Instruction ID: d788e2e051889d12a77fc7486bc7bb3d7529bdc92e593b078e72cfe28a054203
Opcode Fuzzy Hash: b36b37b1353b715cdb40129da16c47b858c848e050c02d0135a77d0003af71be
Instruction Fuzzy Hash: 84F062F7E15B0396EA58CB35D894EB4A3A9FF44B90F904AB1C91D022E0DF2DE4558300

Function 00007FFB0BC7DE40 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7DE5B
GetKeyboardLayout.USER32 ref: 00007FFB0BC7DE70
?PyWinLong_FromVoidPtr@@YAPEAU_object@@PEBX@Z.PYWINTYPES311 ref: 00007FFB0BC7DE79

Strings

|i:GetKeyboardLayout, xrefs: 00007FFB0BC7DE4F

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_FromKeyboardLayoutLong_ParsePtr@@SizeTuple_U_object@@Void
String ID: |i:GetKeyboardLayout
API String ID: 1186360772-2940790594
Opcode ID: 84e4bd74d1a5659f3f19542445ff25dbcbe3a423a4da642c2dbe50363f35b051
Instruction ID: 988cb64f66c0b9d87065e476f3fcf9f440a3d65e18f36c6b7dd1120d3ed58885
Opcode Fuzzy Hash: 84e4bd74d1a5659f3f19542445ff25dbcbe3a423a4da642c2dbe50363f35b051
Instruction Fuzzy Hash: 8EE0BFA0A19683B3DA289B31EC4596923A0FF85B45F909035D60FC7A34DF3CD9998B44

Function 00007FFB0BC77240 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC77253
GetSysColor.USER32 ref: 00007FFB0BC77268
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC77277

Strings

i:GetSysColor, xrefs: 00007FFB0BC7724C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Size$Arg_BuildColorParseTuple_Value_
String ID: i:GetSysColor
API String ID: 2799660753-1403295634
Opcode ID: 55cbc501ad941c6f2eddf73faaf4cc2d4231ff1d117f763f6fd74fc38a7cbd3f
Instruction ID: e20701ccd255e48e61fccc53d07c6f4f71afd2ad21719e65b67e56cbf1ab4e08
Opcode Fuzzy Hash: 55cbc501ad941c6f2eddf73faaf4cc2d4231ff1d117f763f6fd74fc38a7cbd3f
Instruction Fuzzy Hash: A3E0BFA1F09543B2DA149B31EC559A523A1BFD4B41F909032D50FC2A34DE2CE959C704

Function 00007FFB0BC72880 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC72893
GetStdHandle.KERNEL32 ref: 00007FFB0BC728A8
?PyWinLong_FromHANDLE@@YAPEAU_object@@PEAX@Z.PYWINTYPES311 ref: 00007FFB0BC728B1

Strings

i:GetStdHandle, xrefs: 00007FFB0BC7288C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_FromHandleLong_ParseSizeTuple_U_object@@
String ID: i:GetStdHandle
API String ID: 809557171-1864289571
Opcode ID: e5e1eba5f34c6371fb293da4e08a3cc2c72b6de0479bac514063a89abb728616
Instruction ID: 227ff88faaadf4a0965e6f58afeaf0905e1501c5caa22da89f6691dc98c56915
Opcode Fuzzy Hash: e5e1eba5f34c6371fb293da4e08a3cc2c72b6de0479bac514063a89abb728616
Instruction Fuzzy Hash: D8E0ECA1F19583B2DA189B31EC4586923B0FFC5F46F849075D60F82A30DE2DE5598704

Function 00007FFB0B251FD0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB0B252008
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB0B252026

Strings

HANGUL SYLLABLE , xrefs: 00007FFB0B251FF5
CJK UNIFIED IDEOGRAPH-, xrefs: 00007FFB0B25201C

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: strncmp
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 1114863663-87138338
Opcode ID: 8de3eb989cf6c62dcbce841305c01691443b1373284778389dc9e239678f53b6
Instruction ID: f2cbe6e2118bb6428738cc437efdba49be57242933a4c0dc5bb5f70544e71aab
Opcode Fuzzy Hash: 8de3eb989cf6c62dcbce841305c01691443b1373284778389dc9e239678f53b6
Instruction Fuzzy Hash: 4661F6B2B1864386E660AE39E800E7A7A52FB907D0F44D235EA5FC76E5DE7CE5018700

Function 00007FFB0A8BC30C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFB0A8BC338
GetCurrentThreadId.KERNEL32 ref: 00007FFB0A8BC346
GetCurrentProcessId.KERNEL32 ref: 00007FFB0A8BC352
QueryPerformanceCounter.KERNEL32 ref: 00007FFB0A8BC362

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 392f72e91ec90478cb8482db7cf2560d397983631a93c0af5c356536f9346127
Instruction ID: 54b4eca921b749a3a972758107ac3bcc1445672e1a82f7a740908178f14e8a9e
Opcode Fuzzy Hash: 392f72e91ec90478cb8482db7cf2560d397983631a93c0af5c356536f9346127
Instruction Fuzzy Hash: 7F111862B14B019AEB00DB70E854AA833A8FB59758F440E31EA6D467E4EF78E159C340

Function 00007FFB0BC791C3 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON311 ref: 00007FFB0BC791CF
PyErr_NoMemory.PYTHON311 ref: 00007FFB0BC791DD

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Err_MallocMem_Memory
String ID:
API String ID: 2673138930-0
Opcode ID: 508b3d99f1b5bb5bd55bd05c43d0cde3c5ec6a8e1d32f192a79b9d80c493888f
Instruction ID: 6b439b76b4aad088a4cf1b21b3d7090d1c38f623644aa7daf73ae3153f57e19a
Opcode Fuzzy Hash: 508b3d99f1b5bb5bd55bd05c43d0cde3c5ec6a8e1d32f192a79b9d80c493888f
Instruction Fuzzy Hash: 1D012DB1648A82B1E7708F35E444A6973A5FB88B41F41D032CA9FC3B60DEBCE4458310

Function 00007FFB0A8B8F60 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

PyTuple_Size.PYTHON311 ref: 00007FFB0A8B8F7B
PyTuple_GetSlice.PYTHON311 ref: 00007FFB0A8B8F8C
PyObject_Call.PYTHON311 ref: 00007FFB0A8B8FB3
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8B8FC5

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Tuple_$CallDeallocObject_SizeSlice
String ID:
API String ID: 387090426-0
Opcode ID: 13732914df37269150540ba82adc491d0a57c3fe2262490341fc7e6caa296dc5
Instruction ID: 9490a470ed02acc45f0b7bfaed82306aa68110773d07a4b8457b39e2cedfd1b6
Opcode Fuzzy Hash: 13732914df37269150540ba82adc491d0a57c3fe2262490341fc7e6caa296dc5
Instruction Fuzzy Hash: 8DF06862B29B8181EE448B67F944929A769FF8CFD4F485470EE4E07B99DE3CD4818700

Function 00007FFB0BC7D040 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

PyLong_FromLong.PYTHON311 ref: 00007FFB0BC7D04A
PyList_Append.PYTHON311 ref: 00007FFB0BC7D060
_Py_Dealloc.PYTHON311 ref: 00007FFB0BC7D07A
_Py_Dealloc.PYTHON311 ref: 00007FFB0BC7D09A

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Dealloc$AppendFromList_LongLong_
String ID:
API String ID: 686290195-0
Opcode ID: 8a38922c81acd4f33ad1ba1dcd9b5c44600a87cf0a7ff07ee70caa4475c08773
Instruction ID: acd07231a8849a3a25476b3b44e72dddfc9dc6243788bc3665d76bc4e23579f4
Opcode Fuzzy Hash: 8a38922c81acd4f33ad1ba1dcd9b5c44600a87cf0a7ff07ee70caa4475c08773
Instruction Fuzzy Hash: B2F06DE1B06B46A2EE254B36E46863522A0AF98B15F48A130DD0F867A0EE2DE4958200

Function 00007FFB0A6B1EB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

_wassert.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00007FFB0A6B1E02), ref: 00007FFB0A6B1EF4

Strings

(void*)in != (void*)out, xrefs: 00007FFB0A6B1EED
src/scrypt.c, xrefs: 00007FFB0A6B1EE6

Memory Dump Source

Source File: 00000008.00000002.2558208231.00007FFB0A6B1000.00000020.00000001.01000000.0000004A.sdmp, Offset: 00007FFB0A6B0000, based on PE: true

Associated: 00000008.00000002.2558120358.00007FFB0A6B0000.00000002.00000001.01000000.0000004A.sdmpDownload File
Associated: 00000008.00000002.2558308893.00007FFB0A6B3000.00000002.00000001.01000000.0000004A.sdmpDownload File
Associated: 00000008.00000002.2558375762.00007FFB0A6B4000.00000004.00000001.01000000.0000004A.sdmpDownload File
Associated: 00000008.00000002.2558453551.00007FFB0A6B5000.00000002.00000001.01000000.0000004A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a6b0000_Payload.jbxd

Similarity

API ID: _wassert
String ID: (void*)in != (void*)out$src/scrypt.c
API String ID: 3234217646-1092544927
Opcode ID: b1a4e3b3e2a0e0797d6cdbaf5825b108bf68dc55db4e2b5cc03aba4bda832255
Instruction ID: e56c82ade67b9d6e0f9f372ce5aaa018c11353529f531d5331c63959989e2bb6
Opcode Fuzzy Hash: b1a4e3b3e2a0e0797d6cdbaf5825b108bf68dc55db4e2b5cc03aba4bda832255
Instruction Fuzzy Hash: 1711C2A3B14B9182EE148B46FC006A9A6B4FB95FC0F484435EE5D0BB98DE3CC586C304

Function 00007FFB0BC7D1D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7D22B
_Py_Dealloc.PYTHON311 ref: 00007FFB0BC7D242

Strings

llOlO, xrefs: 00007FFB0BC7D224

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: BuildDeallocSizeValue_
String ID: llOlO
API String ID: 2527706333-3221067709
Opcode ID: ac473d9dab60824db44f14f6b3e7e385697cf4aead05804fca5577c05b7f75e8
Instruction ID: 39a31d75db4ec8678edec45aa0449e4877d823f5d0eb1f4906aaeee2513f1079
Opcode Fuzzy Hash: ac473d9dab60824db44f14f6b3e7e385697cf4aead05804fca5577c05b7f75e8
Instruction Fuzzy Hash: F0011EB5A19A81A2EA65CB25FA5442873B0FF89B94F048131DE5F87F34DF3CE5518704

Function 00007FFB0B254C08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FFB0B254C58
PyUnicode_FromString.PYTHON311 ref: 00007FFB0B254C6F

Strings

no such name, xrefs: 00007FFB0B254C4E

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: String$Err_FromUnicode_
String ID: no such name
API String ID: 3678473424-4211486178
Opcode ID: 0bad81046192c5090e63041fc1c0adfcc3ec090d4373e4d8dfd61f48ff6f657e
Instruction ID: ee4e17db91ef5663061f698dec3204632a01f9c03206ed0a7f8945bb991e7d2f
Opcode Fuzzy Hash: 0bad81046192c5090e63041fc1c0adfcc3ec090d4373e4d8dfd61f48ff6f657e
Instruction Fuzzy Hash: 9E0162B1A18A4781FA60BB31E851FB56B60BF98B45F50C035DA4F86774DF3CE0448600

Function 00007FFB0A8BA710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FFB0A8BA746
_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BA776

Strings

__annotations__ must be set to a dict object, xrefs: 00007FFB0A8BA73C

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: DeallocErr_String
String ID: __annotations__ must be set to a dict object
API String ID: 1259552197-3333445879
Opcode ID: 2c8a6c9bae8fa822c9780818d5803dcd88ce39430e3c0dd0317b351bd0cb3564
Instruction ID: 24838b79893ff78735a3ad14cf745f701e438c4e46c98a811f608accbb29835f
Opcode Fuzzy Hash: 2c8a6c9bae8fa822c9780818d5803dcd88ce39430e3c0dd0317b351bd0cb3564
Instruction Fuzzy Hash: DAF04FF7E29B4282EA588B35D880E3563B9FF88B90F5499B1C95D062D0EF2DA4568305

Function 00007FFB0A8BA350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BA382
PyErr_SetString.PYTHON311 ref: 00007FFB0A8BA3A0

Strings

__qualname__ must be set to a string object, xrefs: 00007FFB0A8BA396

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: DeallocErr_String
String ID: __qualname__ must be set to a string object
API String ID: 1259552197-2284195966
Opcode ID: a2832bdff8737f1d6582614c3738e4b1e68b8e91d1cd34ca87c65e74ff35d20e
Instruction ID: 409ef10667c8b65810b32942e0fd064d87e6cce646b86ce748be40ef08d4110e
Opcode Fuzzy Hash: a2832bdff8737f1d6582614c3738e4b1e68b8e91d1cd34ca87c65e74ff35d20e
Instruction Fuzzy Hash: 16F03AF7A25B0282EB48DB39D85097863A8BF88BD0F9449B1C91D062E1EF2D94998300

Function 00007FFB0A8BA2E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON311 ref: 00007FFB0A8BA312
PyErr_SetString.PYTHON311 ref: 00007FFB0A8BA330

Strings

__name__ must be set to a string object, xrefs: 00007FFB0A8BA326

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: DeallocErr_String
String ID: __name__ must be set to a string object
API String ID: 1259552197-1372955150
Opcode ID: a3f1c491b2d2f1e7a9b5efe99f75aba8275270754caa5c9666356331ad9874bb
Instruction ID: 0bbab2e9cb55e5a248616e82c742309884a325f22720548322aa89dc105d28d7
Opcode Fuzzy Hash: a3f1c491b2d2f1e7a9b5efe99f75aba8275270754caa5c9666356331ad9874bb
Instruction Fuzzy Hash: 47F030F7A15B02C1DA48DB39D89093963A8BF88BD0F544971CA1D432E0EE2D9495C300

Function 00007FFB0BC7C1C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7C1E5
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7C216

Strings

iii:RGB, xrefs: 00007FFB0BC7C1DE

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Size$Arg_BuildParseTuple_Value_
String ID: iii:RGB
API String ID: 3671984487-4024403587
Opcode ID: 49ad4a1fd2539caf3cdf0797b444af38b9589a5b72f0f72a57ec2e250f034af2
Instruction ID: fedc711c64e10ed26d3a922e7fbd2a5110ab0c47227e064654cd628bd1b69989
Opcode Fuzzy Hash: 49ad4a1fd2539caf3cdf0797b444af38b9589a5b72f0f72a57ec2e250f034af2
Instruction Fuzzy Hash: 3EF089A1A1C78661EB519735E8104AA7BE1FBC1781F849032F5DEC2F68DE3CE219CB50

Function 00007FFB0A8B87C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311(?,?,00000000,00007FFB0A8B1FD2), ref: 00007FFB0A8B87E8
PyErr_Format.PYTHON311(?,?,00000000,00007FFB0A8B1FD2), ref: 00007FFB0A8B8807

Strings

name '%U' is not defined, xrefs: 00007FFB0A8B87FA

Memory Dump Source

Source File: 00000008.00000002.2566420945.00007FFB0A8B1000.00000020.00000001.01000000.00000039.sdmp, Offset: 00007FFB0A8B0000, based on PE: true

Associated: 00000008.00000002.2566376649.00007FFB0A8B0000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566465265.00007FFB0A8BD000.00000002.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566510302.00007FFB0A8C2000.00000004.00000001.01000000.00000039.sdmpDownload File
Associated: 00000008.00000002.2566553628.00007FFB0A8C4000.00000002.00000001.01000000.00000039.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0a8b0000_Payload.jbxd

Similarity

API ID: Err_$FormatOccurred
String ID: name '%U' is not defined
API String ID: 4038069558-3833966784
Opcode ID: 627fa300dfe5062ca1b2fbeaea4b5ddda47f524ca0fd262b12c0f28bc1edf370
Instruction ID: 14b4b4be2cf4796c3d19135fe2e401bf737aa615be1919cc8127918d49911656
Opcode Fuzzy Hash: 627fa300dfe5062ca1b2fbeaea4b5ddda47f524ca0fd262b12c0f28bc1edf370
Instruction Fuzzy Hash: 82F08CA2B29B4281EE049B66E884C756368BF8CFC4B084875DD0D473A1EE3CE4848700

Function 00007FFB0B2525B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_PyObject_GC_New.PYTHON311(?,?,00000000,00007FFB0B252533), ref: 00007FFB0B2525B6
PyObject_GC_Track.PYTHON311(?,?,00000000,00007FFB0B252533), ref: 00007FFB0B2525E8

Strings

3.2.0, xrefs: 00007FFB0B2525C4

Memory Dump Source

Source File: 00000008.00000002.2569480327.00007FFB0B251000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFB0B250000, based on PE: true

Associated: 00000008.00000002.2569434452.00007FFB0B250000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B255000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2B2000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B2FE000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B301000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B306000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569547141.00007FFB0B360000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569948940.00007FFB0B363000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000008.00000002.2569977529.00007FFB0B365000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0b250000_Payload.jbxd

Similarity

API ID: Object_$Track
String ID: 3.2.0
API String ID: 16854473-1786766648
Opcode ID: 767dd7ab98994f43239e4e329e749c2ad7475791c86a6fb4d160e6b955e6c056
Instruction ID: 6bb5accd986f1108f70e34e2038786b27e2cae9405690b25a2fcc8a9d050e8f4
Opcode Fuzzy Hash: 767dd7ab98994f43239e4e329e749c2ad7475791c86a6fb4d160e6b955e6c056
Instruction Fuzzy Hash: 13E0E5A4A0AB07D5EB19AB31E850D682AA4FF18B04B488135CD4E823B0EF3CE164D240

Function 00007FFB0BC78200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC78213
?PyWinObject_CloseHKEY@@YAHPEAU_object@@@Z.PYWINTYPES311 ref: 00007FFB0BC78222

Strings

O:RegCloseKey, xrefs: 00007FFB0BC7820C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_CloseObject_ParseSizeTuple_U_object@@@
String ID: O:RegCloseKey
API String ID: 3433270780-2839112864
Opcode ID: 2643a4c75fef34f3fff347d8412d8d8f657ebbce40cdb44a67962c12f213d8bd
Instruction ID: c95f33a60e82d53e450f7b253b8fe13496fa82777d7c405279ea8abd44611656
Opcode Fuzzy Hash: 2643a4c75fef34f3fff347d8412d8d8f657ebbce40cdb44a67962c12f213d8bd
Instruction Fuzzy Hash: C9E0EDE0B08982B1EA245B72EC849652370FB81B82F849032DA4EC7A34CE2CD8568714

Function 00007FFB0BC7BFB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7BFC8
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7BFEF

Strings

ii:MAKELANGID, xrefs: 00007FFB0BC7BFBC

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Size$Arg_BuildParseTuple_Value_
String ID: ii:MAKELANGID
API String ID: 3671984487-2052633188
Opcode ID: 4d40aeb1b6167158ef20964295b9271136dd8a016e3fdff458f5c6c6b083d0eb
Instruction ID: ecc8de71fd4c25265ecf2b5a76cfb85ad5c8f54f8b70cb5969845cf5ab93a5a4
Opcode Fuzzy Hash: 4d40aeb1b6167158ef20964295b9271136dd8a016e3fdff458f5c6c6b083d0eb
Instruction Fuzzy Hash: 4AE012A1E08443B1DA549B75F8545B523B1FBC1B46F90C032E64EC1938DE3CD59AD700

Function 00007FFB0BC7C170 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7C188
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7C1AF

Strings

ii:MAKELONG, xrefs: 00007FFB0BC7C17C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Size$Arg_BuildParseTuple_Value_
String ID: ii:MAKELONG
API String ID: 3671984487-1608344320
Opcode ID: 8146bdcc22b722e358b0d7f500eeddb7cf187aa1a79e3b4a34ff052001b7fa08
Instruction ID: f0be05c4cfac90ba421d13996df944074d908aa38500540ecb71428a0a4e7acd
Opcode Fuzzy Hash: 8146bdcc22b722e358b0d7f500eeddb7cf187aa1a79e3b4a34ff052001b7fa08
Instruction Fuzzy Hash: E5E012A1E18443B1EB149B35E8405B927B1FBC1746F90C032E64E82934EE7CD59AC750

Function 00007FFB0BC7C090 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7C0A3
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7C0C6

Strings

i:HIBYTE, xrefs: 00007FFB0BC7C09C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Size$Arg_BuildParseTuple_Value_
String ID: i:HIBYTE
API String ID: 3671984487-2590802970
Opcode ID: 071088d7e1714ac271a2fb333e24cfb930c59a79714353ac2f2663fe7d33f8ef
Instruction ID: 0afcf86ada8e967ae89184dd826b5aa61731fb64befe99bc9c68973dac5492e2
Opcode Fuzzy Hash: 071088d7e1714ac271a2fb333e24cfb930c59a79714353ac2f2663fe7d33f8ef
Instruction Fuzzy Hash: BFE08CE0F08443B2DE18AB31EC809A923E0FFD0702FC09032D20EC6A20DE2CE55AC700

Function 00007FFB0BC7C000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7C013
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7C036

Strings

i:HIWORD, xrefs: 00007FFB0BC7C00C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Size$Arg_BuildParseTuple_Value_
String ID: i:HIWORD
API String ID: 3671984487-3294456677
Opcode ID: 9ab909f22447b2452dfc10dc426c4da5aecdf55ede1bb639e72aeaa4b8e1419f
Instruction ID: 8b520da4f78f3ea277e27ca11efc6313c98f86a2d7f0f096ee99cd2a916f1313
Opcode Fuzzy Hash: 9ab909f22447b2452dfc10dc426c4da5aecdf55ede1bb639e72aeaa4b8e1419f
Instruction Fuzzy Hash: 43E04F90A08543B2DE149725E84097523E0FF80701FC09032D54E86A20DD2CE5598740

Function 00007FFB0BC7C560 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7C573
SetThreadLocale.KERNEL32 ref: 00007FFB0BC7C588

Strings

i:SetThreadLocale, xrefs: 00007FFB0BC7C56C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_LocaleParseSizeThreadTuple_
String ID: i:SetThreadLocale
API String ID: 2220772945-2528413986
Opcode ID: cefdeb93583baf1c60a79bb84cb95c14344cdc3bd35aab3625cf1cfa5536478d
Instruction ID: 7ffa15a7d5c018eb44a7a1120a908f9f007ed3ecb367ee1cdb907dc1c01c877a
Opcode Fuzzy Hash: cefdeb93583baf1c60a79bb84cb95c14344cdc3bd35aab3625cf1cfa5536478d
Instruction Fuzzy Hash: 6BE04FE5A08987B2DA149B32EC8486533B0FF85F40F809032D90F83B30CE2CE456C704

Function 00007FFB0BC7C050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7C063
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFB0BC7C080

Strings

i:LOWORD, xrefs: 00007FFB0BC7C05C

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Size$Arg_BuildParseTuple_Value_
String ID: i:LOWORD
API String ID: 3671984487-3498892499
Opcode ID: bb95ad9b45b6e6a687017c2a96226e063f6cb26bcaa34b50506e9d71ee4019dc
Instruction ID: 53fd097e8d889148fc568066bab25530a87f5ff628630237215b18d298a29941
Opcode Fuzzy Hash: bb95ad9b45b6e6a687017c2a96226e063f6cb26bcaa34b50506e9d71ee4019dc
Instruction Fuzzy Hash: 98E0EC91A08543B2DA186B31EC555B523A1FFD1B46F90D032D60E81934DE2CE59AC740

Function 00007FFB0BC77760 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7776E
GetVersion.KERNEL32 ref: 00007FFB0BC7777F

Strings

:GetVersion, xrefs: 00007FFB0BC77767

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_ParseSizeTuple_Version
String ID: :GetVersion
API String ID: 899322485-235393037
Opcode ID: 811252984363d51a9f84090d9778ce089374dceefb5475b6e89fc8296215709a
Instruction ID: 3fc4f3f5f678bf7c7b66371bfc31c44895b2953e091cdf6bef245b6cb7855903
Opcode Fuzzy Hash: 811252984363d51a9f84090d9778ce089374dceefb5475b6e89fc8296215709a
Instruction Fuzzy Hash: 05D01790F09943F2EA285B31EC908B522A0AF94B41F80D132C41FC5A31FE2CA59A8304

Function 00007FFB0BC745E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC745EE
GetCurrentProcessId.KERNEL32 ref: 00007FFB0BC745FF

Strings

:GetCurrentProcessId, xrefs: 00007FFB0BC745E7

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_CurrentParseProcessSizeTuple_
String ID: :GetCurrentProcessId
API String ID: 2661948951-1699093009
Opcode ID: 2c1369512f65300534d6baa643c5e5e06ed1862caacd6bde3d21a7b47731a406
Instruction ID: 8dcf42f95d1cc8a446146c89208df626ff52c5a5fff773b8633e1778a05a5c0f
Opcode Fuzzy Hash: 2c1369512f65300534d6baa643c5e5e06ed1862caacd6bde3d21a7b47731a406
Instruction Fuzzy Hash: 09D09EA0F4A643F1E6685731EC8587512D19F85B51F409432D40FC5A30ED5CA5D68704

Function 00007FFB0BC7C5B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7C5BE
GetThreadLocale.KERNEL32 ref: 00007FFB0BC7C5CF

Strings

:GetThreadLocale, xrefs: 00007FFB0BC7C5B7

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_LocaleParseSizeThreadTuple_
String ID: :GetThreadLocale
API String ID: 2220772945-1873615413
Opcode ID: c023d3f50c9f16cf75b90984711c31390f7473d4f71c0c66e52059565098c045
Instruction ID: d9df3b037514d3893a6264baf1aaa8dca72ef505a315024909ef7811176cab79
Opcode Fuzzy Hash: c023d3f50c9f16cf75b90984711c31390f7473d4f71c0c66e52059565098c045
Instruction Fuzzy Hash: 17D05ED0F59543B1E6281731ED9087912E1AF84B41F809031C40FC0630ED5CA5D54704

Function 00007FFB0BC745A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC745AE
GetCurrentProcess.KERNEL32 ref: 00007FFB0BC745BF

Strings

:GetCurrentProcess, xrefs: 00007FFB0BC745A7

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_CurrentParseProcessSizeTuple_
String ID: :GetCurrentProcess
API String ID: 2661948951-521274867
Opcode ID: 012965560d9d3f65e7d3d08d8ea94ef131ec87784274c7fa4ecccaa43d791c6b
Instruction ID: 8a9ebeb661b9f82f5b1ee5a37d2457626b579ab29e1d78d8a5c38b482886193d
Opcode Fuzzy Hash: 012965560d9d3f65e7d3d08d8ea94ef131ec87784274c7fa4ecccaa43d791c6b
Instruction Fuzzy Hash: 10D0C790F5A543F1E66D5732EC8587512D0AF85F51F40D431D41FC1730ED1CA1D58704

Function 00007FFB0BC74560 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFB0BC7456E
GetCurrentThreadId.KERNEL32 ref: 00007FFB0BC7457F

Strings

:GetCurrentThreadId, xrefs: 00007FFB0BC74567

Memory Dump Source

Source File: 00000008.00000002.2573367020.00007FFB0BC71000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFB0BC70000, based on PE: true

Associated: 00000008.00000002.2573329964.00007FFB0BC70000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573405670.00007FFB0BC83000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573460630.00007FFB0BC8E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000008.00000002.2573491501.00007FFB0BC91000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ffb0bc70000_Payload.jbxd

Similarity

API ID: Arg_CurrentParseSizeThreadTuple_
String ID: :GetCurrentThreadId
API String ID: 1649854756-2016947755
Opcode ID: 64b90a45eecba3a6158b7e160ee47d19c4b98a5828cd54862366a9be6b4225f9
Instruction ID: e820de96e5655df29fad006f5cb468a1705fd4fd38a305875f248778ac1cfeb1
Opcode Fuzzy Hash: 64b90a45eecba3a6158b7e160ee47d19c4b98a5828cd54862366a9be6b4225f9
Instruction Fuzzy Hash: DDD09EA0F49543B1E6695731EC8587512D29F95F51F44A431D41FC1630EE5CA5D64704

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payload.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_ARC4.pyd

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_Salsa20.pyd

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_chacha20.pyd

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_pkcs1_decode.pyd

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_aes.pyd

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_aesni.pyd

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_arc2.pyd

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_blowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_cast.pyd

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_cbc.pyd

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_cfb.pyd

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_ctr.pyd

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_des.pyd

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_des3.pyd

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_ecb.pyd

C:\Users\user\AppData\Local\Temp\_MEI70282\Crypto\Cipher\_raw_eksblowfish.pyd

Windows Analysis Report
Payload.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre