Edit tour

Windows Analysis Report
dipwo1iToJ.exe

Overview

General Information

Sample name:	dipwo1iToJ.exe renamed because original name is a hash value
Original sample name:	f40d72b602d086c3724048c5df9cc6f0.exe
Analysis ID:	1570259
MD5:	f40d72b602d086c3724048c5df9cc6f0
SHA1:	1cb21b5dda39cc0101e3a140701a670981e562be
SHA256:	d86949ec11d850f940b1ce58eb7a32f1381401fbb27137b6736345ce07ce4501
Tags:	exeuser-abuse_ch
Infos:

Detection

Python Stealer

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Generic Python Stealer

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

dipwo1iToJ.exe (PID: 6864 cmdline: "C:\Users\user\Desktop\dipwo1iToJ.exe" MD5: F40D72B602D086C3724048C5DF9CC6F0)

dipwo1iToJ.exe (PID: 792 cmdline: "C:\Users\user\Desktop\dipwo1iToJ.exe" MD5: F40D72B602D086C3724048C5DF9CC6F0)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: dipwo1iToJ.exe PID: 792	JoeSecurity_GenericPythonStealer	Yara detected Generic Python Stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: dipwo1iToJ.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt

Jump to behavior

Source: dipwo1iToJ.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: dipwo1iToJ.exe, 00000001.00000002.1797680341.00007FFDFB5F4000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: dipwo1iToJ.exe, 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: cryptography_rust.pdbc source: dipwo1iToJ.exe, 00000001.00000002.1789007887.00007FFDFA7AA000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: dipwo1iToJ.exe, 00000001.00000002.1796919404.00007FFDFB092000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: _decimal.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: dipwo1iToJ.exe, 00000001.00000002.1796919404.00007FFDFB092000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: crypto\bn\bn_ctx.cBN_CTX_startBN_CTX_getossl_ec_group_new_excrypto\ec\ec_lib.cEC_GROUP_copyEC_GROUP_set_generatorEC_GROUP_set_curveEC_GROUP_get_curveEC_GROUP_get_degreeEC_GROUP_check_discriminantEC_POINT_newEC_POINT_copyEC_POINT_set_to_infinityEC_POINT_set_Jprojective_coordinates_GFpEC_POINT_set_affine_coordinatesEC_POINT_get_affine_coordinatesEC_POINT_addEC_POINT_dblEC_POINT_invertEC_POINT_is_at_infinityEC_POINT_is_on_curveEC_POINT_cmpEC_POINT_mulEC_GROUP_get_trinomial_basisEC_GROUP_get_pentanomial_basisgroup_new_from_nameossl_ec_group_set_paramsencodingdecoded-from-explicitEC_GROUP_new_from_paramsgeneratorcrypto\evp\digest.cevp_md_ctx_new_exevp_md_ctx_free_algctxevp_md_init_internalEVP_DigestUpdatesizeEVP_DigestFinal_exassertion failed: mdsize <= EVP_MAX_MD_SIZEEVP_DigestFinalXOFxoflenEVP_MD_CTX_copy_exEVP_MD_CTX_ctrlmicalgssl3-msblocksizexofalgid-absentevp_md_from_algorithmupdatecrypto\evp\m_sigver.cUNDEFdo_sigver_initEVP_DigestSignUpdateEVP_DigestVerifyUpdateEVP_DigestSignFinalEVP_DigestSignEVP_DigestVerifyFinalEVP_DigestVerifycompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.3.2built on: Fri Oct 18 00:15:00 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: dipwo1iToJ.exe, 00000001.00000002.1789007887.00007FFDFA7AA000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: dipwo1iToJ.exe, 00000001.00000002.1804397735.00007FFE120C6000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescrypto\engine\tb_digest.cENGINE_get_digestcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: dipwo1iToJ.exe, 00000001.00000002.1789007887.00007FFDFA7AA000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: dipwo1iToJ.exe, 00000000.00000003.1684977147.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1804789057.00007FFE13221000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: dipwo1iToJ.exe, 00000000.00000003.1684977147.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1804789057.00007FFE13221000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: dipwo1iToJ.exe, 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\pywintypes.pdb source: dipwo1iToJ.exe, 00000001.00000002.1799830423.00007FFE00011000.00000002.00000001.01000000.00000027.sdmp, pywintypes312.dll.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\pywintypes.pdb** source: dipwo1iToJ.exe, 00000001.00000002.1799830423.00007FFE00011000.00000002.00000001.01000000.00000027.sdmp, pywintypes312.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: _multiprocessing.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: dipwo1iToJ.exe, 00000001.00000002.1789007887.00007FFDFA7AA000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: dipwo1iToJ.exe, 00000000.00000003.1685298094.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1803196864.00007FFE11075000.00000002.00000001.01000000.00000028.sdmp, VCRUNTIME140_1.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: dipwo1iToJ.exe, 00000001.00000002.1804676413.00007FFE13203000.00000002.00000001.01000000.0000000E.sdmp, select.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: dipwo1iToJ.exe, 00000001.00000002.1804294901.00007FFE11EE1000.00000002.00000001.01000000.00000007.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: dipwo1iToJ.exe, 00000001.00000002.1803442290.00007FFE11507000.00000002.00000001.01000000.0000000B.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: _decimal.pyd.0.dr
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: dipwo1iToJ.exe, 00000001.00000002.1793377703.00007FFDFACA5000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: dipwo1iToJ.exe, 00000001.00000002.1803578810.00007FFE1153C000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: dipwo1iToJ.exe, 00000001.00000002.1803322459.00007FFE110F2000.00000002.00000001.01000000.00000023.sdmp, _uuid.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: dipwo1iToJ.exe, 00000000.00000003.1685437325.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1802758529.00007FFE101D8000.00000002.00000001.01000000.00000014.sdmp, _asyncio.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: dipwo1iToJ.exe, 00000001.00000002.1802907428.00007FFE10252000.00000002.00000001.01000000.00000010.sdmp, pyexpat.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: dipwo1iToJ.exe, 00000001.00000002.1804490140.00007FFE12E13000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: dipwo1iToJ.exe, 00000001.00000002.1803578810.00007FFE1153C000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: dipwo1iToJ.exe, 00000000.00000003.1685593932.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1804189678.00007FFE11EBD000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: dipwo1iToJ.exe, 00000001.00000002.1804584285.00007FFE130C4000.00000002.00000001.01000000.0000000F.sdmp, _wmi.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\win32api.pdb!! source: dipwo1iToJ.exe, 00000001.00000002.1799958060.00007FFE00743000.00000002.00000001.01000000.00000026.sdmp, win32api.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\win32api.pdb source: dipwo1iToJ.exe, 00000001.00000002.1799958060.00007FFE00743000.00000002.00000001.01000000.00000026.sdmp, win32api.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: dipwo1iToJ.exe, 00000001.00000002.1803074322.00007FFE10309000.00000002.00000001.01000000.0000000D.sdmp, _socket.pyd.0.dr
Source:	Binary string: cryptography_rust.pdb source: dipwo1iToJ.exe, 00000001.00000002.1789007887.00007FFDFA7AA000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: dipwo1iToJ.exe, 00000001.00000002.1804584285.00007FFE130C4000.00000002.00000001.01000000.0000000F.sdmp, _wmi.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: dipwo1iToJ.exe, 00000001.00000002.1802335498.00007FFE0EB2F000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: dipwo1iToJ.exe, 00000001.00000002.1783720389.0000017A60550000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: dipwo1iToJ.exe, 00000000.00000003.1685298094.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1803196864.00007FFE11075000.00000002.00000001.01000000.00000028.sdmp, VCRUNTIME140_1.dll.0.dr
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: dipwo1iToJ.exe, 00000001.00000002.1793377703.00007FFDFACA5000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: dipwo1iToJ.exe, 00000001.00000002.1802493358.00007FFE0EB4D000.00000002.00000001.01000000.00000012.sdmp, _ssl.pyd.0.dr

Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FC92F0 FindFirstFileExW,FindClose,	0_2_00007FF6F8FC92F0
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FC83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF6F8FC83B0
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FE18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6F8FE18E4

Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.242.208
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.242.208
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.242.208
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.242.208
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.242.208
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.242.208
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.242.208
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.242.208
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.242.208
Source: unknown	TCP traffic detected without corresponding DNS query: 163.5.242.208

Source: global traffic	HTTP traffic detected: GET /bababa31692_token.txt HTTP/1.1Host: 163.5.242.208User-Agent: python-requests/2.32.3Accept-Encoding: gzip, deflateAccept: /Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /7236785358_chat.txt HTTP/1.1Host: 163.5.242.208User-Agent: python-requests/2.32.3Accept-Encoding: gzip, deflateAccept: /Connection: keep-alive

Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: - https://www.facebook.com/groups/ equals www.facebook.com (Facebook)
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: d- https://www.facebook.com/groups/ equals www.facebook.com (Facebook)
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: member_countz"- https://www.facebook.com/groups/z equals www.facebook.com (Facebook)

Source: dipwo1iToJ.exe, 00000001.00000002.1785999287.0000017A61630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: dipwo1iToJ.exe, 00000001.00000002.1785216227.0000017A61210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://163.5.242.208/7236785358_chat.txt
Source: dipwo1iToJ.exe, 00000001.00000002.1787594884.0000017A628F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://163.5.242.208/7236785358_chat.txtPn
Source: dipwo1iToJ.exe, 00000001.00000002.1787594884.0000017A628F0000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1785216227.0000017A61210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://163.5.242.208/bababa31692_token.txt
Source: dipwo1iToJ.exe, 00000001.00000002.1785216227.0000017A61210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://163.5.242.208/bababa31692_token.txtsl-modulesd
Source: dipwo1iToJ.exe, 00000001.00000003.1724378756.0000017A60DC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://163.5.242.208/bababa31692_token.txtz(http://163.5.242.208/7236785358_chat.txtc
Source: dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A61A00000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A61B3A000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784723256.0000017A60E9F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A619AE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786607711.0000017A61B7E000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A606CD000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784723256.0000017A60E63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: dipwo1iToJ.exe, 00000000.00000003.1685437325.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000000.00000003.1685593932.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _wmi.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, _asyncio.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: dipwo1iToJ.exe, 00000000.00000003.1685437325.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000000.00000003.1685593932.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _wmi.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, _asyncio.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: dipwo1iToJ.exe, 00000000.00000003.1685437325.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000000.00000003.1685593932.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _wmi.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, _asyncio.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: dipwo1iToJ.exe, 00000000.00000003.1685437325.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000000.00000003.1685593932.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _wmi.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, _asyncio.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60BB5000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784232573.0000017A60AD0000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1720406212.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1722143244.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: dipwo1iToJ.exe, 00000001.00000003.1720054100.0000017A60C27000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784232573.0000017A60AD0000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1719700729.0000017A60BBD000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1719700729.0000017A60C0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783601146.0000017A60450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: dipwo1iToJ.exe, 00000001.00000002.1784232573.0000017A60AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: dipwo1iToJ.exe, 00000001.00000002.1784232573.0000017A60AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: dipwo1iToJ.exe, 00000000.00000003.1685437325.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000000.00000003.1685593932.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _wmi.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, _asyncio.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: dipwo1iToJ.exe, 00000000.00000003.1685437325.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000000.00000003.1685593932.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _wmi.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, _asyncio.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: dipwo1iToJ.exe, 00000000.00000003.1685437325.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000000.00000003.1685593932.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _wmi.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, _asyncio.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: _asyncio.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: dipwo1iToJ.exe, 00000000.00000003.1685437325.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000000.00000003.1685593932.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _wmi.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, _asyncio.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dipwo1iToJ.exe, 00000001.00000002.1786607711.0000017A61B7E000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A606CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A61A00000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784723256.0000017A60E9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784723256.0000017A60E63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A61A00000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A61B3A000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60D81000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1787439688.0000017A622D0000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1787297845.0000017A62090000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A619AE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1785999287.0000017A61630000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1787515881.0000017A62710000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786607711.0000017A61B7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: dipwo1iToJ.exe, 00000001.00000002.1785999287.0000017A61630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: dipwo1iToJ.exe, 00000001.00000002.1785801228.0000017A61510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: dipwo1iToJ.exe, 00000001.00000002.1784965590.0000017A60FF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: dipwo1iToJ.exe, 00000001.00000002.1784965590.0000017A60FF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar.tar.gz
Source: dipwo1iToJ.exe, 00000001.00000002.1784965590.0000017A60FF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar.tgz
Source: dipwo1iToJ.exe, 00000001.00000002.1787439688.0000017A622D0000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784723256.0000017A60E9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl.
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60D81000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A61A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/post
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/jsonr
Source: dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A61A00000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1787439688.0000017A622D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: dipwo1iToJ.exe, 00000000.00000003.1685437325.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000000.00000003.1685593932.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _wmi.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, _asyncio.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: dipwo1iToJ.exe, 00000000.00000003.1685437325.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000000.00000003.1685593932.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _wmi.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, _asyncio.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: dipwo1iToJ.exe, 00000000.00000003.1685437325.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000000.00000003.1685593932.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _wmi.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, _asyncio.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: dipwo1iToJ.exe, 00000000.00000003.1685437325.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000000.00000003.1685593932.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _wmi.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, _asyncio.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: dipwo1iToJ.exe, 00000001.00000002.1784148989.0000017A609A0000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784874976.0000017A60ED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: dipwo1iToJ.exe, 00000001.00000002.1786135596.0000017A61780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://python.org
Source: dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A619AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://python.org/
Source: dipwo1iToJ.exe, 00000001.00000002.1786135596.0000017A61780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://python.org:80
Source: dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60D81000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60BB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A61A00000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A61B3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: dipwo1iToJ.exe, 00000001.00000002.1787515881.0000017A62710000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: dipwo1iToJ.exe, 00000001.00000002.1785999287.0000017A61630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A61B3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crlS
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: dipwo1iToJ.exe, 00000001.00000002.1784874976.0000017A60ED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60D81000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/LuvN
Source: dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A61B3A000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A619AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: dipwo1iToJ.exe, 00000000.00000003.1685437325.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000000.00000003.1685593932.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _wmi.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, _asyncio.pyd.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A606CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: dipwo1iToJ.exe, 00000001.00000003.1727487193.0000017A6086F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A6084A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A61B3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A61B3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786135596.0000017A61780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://127.0.0.1:8443
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.riotgames.com/api/account/v1/user
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://accounts.reddit.com/api/access_token
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.reddit.com/api/access_tokenz
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerrt
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.hypixel.net/player?key=aa5d84c7-f617-4069-9e64-ae177cd7b869&uuid=
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.hypixel.net/player?key=aa5d84c7-f617-4069-9e64-ae177cd7b869&uuid=r
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.namemc.com/profile/
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/IPlayerService/GetOwnedGames/v0001/?key=440D7F4D810EF9298D25EDDF37C1F90
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/IPlayerService/GetSteamLevel/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key=440D7F4D810EF9298D25EDDF37C1F9
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://battle.net
Source: METADATA.0.dr	String found in binary or memory: https://blog.jaraco.com/skeleton
Source: dipwo1iToJ.exe, 00000001.00000002.1787439688.0000017A622D0000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786607711.0000017A61B7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue37179
Source: dipwo1iToJ.exe, 00000001.00000002.1785102451.0000017A610F0000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1785216227.0000017A61210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue44497.
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://catbox.moe/user/api.php
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://catbox.moe/user/api.phpr
Source: dipwo1iToJ.exe, 00000001.00000002.1799219482.00007FFDFF6CC000.00000002.00000001.01000000.0000002A.sdmp	String found in binary or memory: https://cffi.readthedocs.io/en/latest/using.html#callbacks
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crafatar.com/skins/
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crafatar.com/skins/z1.png
Source: dipwo1iToJ.exe, 00000001.00000002.1789007887.00007FFDFA7AA000.00000002.00000001.01000000.00000029.sdmp	String found in binary or memory: https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786135596.0000017A61780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.3
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/users/
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v6/guilds/
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v6/guilds/r
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v6/users/
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.gg/
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.gg/r
Source: dipwo1iToJ.exe, 00000001.00000002.1787439688.0000017A622D0000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786607711.0000017A61B7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.aiohttp.org/en/stable/client_advanced.html#proxy-support
Source: METADATA0.0.dr	String found in binary or memory: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-profile/customizi
Source: dipwo1iToJ.exe, 00000001.00000003.1719042544.0000017A60817000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1718206364.0000017A60815000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1715349063.0000017A60815000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A6084A000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1720080418.0000017A60817000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1719985872.0000017A60815000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1715319594.0000017A60823000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1716039388.0000017A6081F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1727487193.0000017A607FA000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1720015694.0000017A6081B000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1721263504.0000017A60812000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A619AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/howto/mro.html
Source: dipwo1iToJ.exe, 00000001.00000002.1787439688.0000017A622D0000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/asyncio-eventloop.html
Source: dipwo1iToJ.exe, 00000001.00000003.1710250517.0000017A6045F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710274832.0000017A60456000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783399636.0000017A60100000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: dipwo1iToJ.exe, 00000001.00000002.1783399636.0000017A6017C000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710250517.0000017A6045F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710274832.0000017A60456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: dipwo1iToJ.exe, 00000001.00000002.1783399636.0000017A6017C000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710250517.0000017A6045F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710274832.0000017A60456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: dipwo1iToJ.exe, 00000001.00000002.1783399636.0000017A6017C000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710250517.0000017A6045F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710274832.0000017A60456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: dipwo1iToJ.exe, 00000001.00000002.1783399636.0000017A6017C000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710250517.0000017A6045F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710274832.0000017A60456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: dipwo1iToJ.exe, 00000001.00000003.1710250517.0000017A6045F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710274832.0000017A60456000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783520183.0000017A60350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: dipwo1iToJ.exe, 00000001.00000003.1710250517.0000017A6045F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710274832.0000017A60456000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783520183.0000017A60350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: dipwo1iToJ.exe, 00000001.00000002.1783399636.0000017A6017C000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710250517.0000017A6045F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710274832.0000017A60456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: dipwo1iToJ.exe, 00000001.00000002.1783280394.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710250517.0000017A6045F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1717300666.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710274832.0000017A60456000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1713302317.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1712793220.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1713862624.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: METADATA.0.dr	String found in binary or memory: https://docs.python.org/3/library/importlib.metadata.html
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60BB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
Source: METADATA.0.dr	String found in binary or memory: https://docs.python.org/3/reference/import.html#finders-and-loaders
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebay.com
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://epicgames.com
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://file.io/
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://file.io/r
Source: METADATA0.0.dr	String found in binary or memory: https://filepreviews.io/
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://friends.roblox.com/v1/users/
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://friends.roblox.com/v1/users/rP
Source: dipwo1iToJ.exe, 00000001.00000002.1784965590.0000017A60FF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: dipwo1iToJ.exe, 00000001.00000002.1783280394.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710250517.0000017A6045F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1717300666.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710274832.0000017A60456000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1713302317.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1712793220.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1713862624.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783601146.0000017A60450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: dipwo1iToJ.exe, 00000001.00000002.1787439688.0000017A622D0000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786607711.0000017A61B7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/aio-libs/aiohttp/discussions/6044
Source: METADATA.0.dr	String found in binary or memory: https://github.com/astral-sh/ruff
Source: dipwo1iToJ.exe, 00000001.00000002.1787515881.0000017A62710000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: dipwo1iToJ.exe, 00000001.00000002.1784965590.0000017A60FF0000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1720406212.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1722143244.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: dipwo1iToJ.exe, 00000001.00000002.1799878580.00007FFE00022000.00000002.00000001.01000000.00000027.sdmp, dipwo1iToJ.exe, 00000001.00000002.1800009311.00007FFE00751000.00000002.00000001.01000000.00000026.sdmp, win32api.pyd.0.dr, pywintypes312.dll.0.dr	String found in binary or memory: https://github.com/mhammond/pywin32
Source: dipwo1iToJ.exe, 00000001.00000002.1784965590.0000017A60FF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/platformdirs/platformdirs
Source: dipwo1iToJ.exe, 00000001.00000002.1786135596.0000017A61780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: dipwo1iToJ.exe, 00000001.00000002.1789007887.00007FFDFA7AA000.00000002.00000001.01000000.00000029.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: dipwo1iToJ.exe, 00000001.00000002.1789007887.00007FFDFA7AA000.00000002.00000001.01000000.00000029.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/8996
Source: dipwo1iToJ.exe, 00000001.00000002.1789007887.00007FFDFA7AA000.00000002.00000001.01000000.00000029.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/9253
Source: METADATA2.0.dr	String found in binary or memory: https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md
Source: dipwo1iToJ.exe, 00000001.00000002.1784874976.0000017A60ED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging
Source: dipwo1iToJ.exe, 00000001.00000002.1785418273.0000017A61310000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
Source: dipwo1iToJ.exe, 00000001.00000002.1785102451.0000017A610F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
Source: dipwo1iToJ.exe, 00000001.00000002.1785216227.0000017A61210000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/new?template=distutils-deprecation.yml
Source: METADATA2.0.dr	String found in binary or memory: https://github.com/pypa/wheel
Source: METADATA2.0.dr	String found in binary or memory: https://github.com/pypa/wheel/issues
Source: METADATA0.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs
Source: METADATA0.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs)
Source: METADATA0.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/blob/main/.github/CONTRIBUTING.md)
Source: METADATA0.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1328)
Source: METADATA0.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1329)
Source: METADATA0.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1330)
Source: dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A619AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/136
Source: dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A606CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/251
Source: dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A619AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/428
Source: METADATA0.0.dr	String found in binary or memory: https://github.com/python-attrs/attrs/wiki/Extensions-to-attrs)
Source: dipwo1iToJ.exe, 00000001.00000002.1783399636.0000017A6017C000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710250517.0000017A6045F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710274832.0000017A60456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: dipwo1iToJ.exe, 00000001.00000002.1783601146.0000017A60450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: dipwo1iToJ.exe, 00000001.00000002.1783280394.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710250517.0000017A6045F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1717300666.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710274832.0000017A60456000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1713302317.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1712793220.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1713862624.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783601146.0000017A60450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: dipwo1iToJ.exe, 00000001.00000003.1717435682.0000017A60737000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1716973785.0000017A60AD1000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1716973785.0000017A60B31000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1715983243.0000017A60B31000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1718401236.0000017A60737000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1720406212.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1719042544.0000017A60737000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1722143244.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: dipwo1iToJ.exe, 00000001.00000002.1787297845.0000017A62090000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/pull/118960
Source: dipwo1iToJ.exe, 00000001.00000002.1787439688.0000017A622D0000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786607711.0000017A61B7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/pull/28073
Source: METADATA.0.dr	String found in binary or memory: https://github.com/python/importlib_metadata
Source: METADATA.0.dr	String found in binary or memory: https://github.com/python/importlib_metadata/actions/workflows/main.yml/badge.svg
Source: METADATA.0.dr	String found in binary or memory: https://github.com/python/importlib_metadata/actions?query=workflow%3A%22tests%22
Source: METADATA.0.dr	String found in binary or memory: https://github.com/python/importlib_metadata/issues
Source: METADATA0.0.dr	String found in binary or memory: https://github.com/sponsors/hynek
Source: METADATA0.0.dr	String found in binary or memory: https://github.com/sponsors/hynek).
Source: dipwo1iToJ.exe, 00000001.00000002.1783280394.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710250517.0000017A6045F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1717300666.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710274832.0000017A60456000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1713302317.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1712793220.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1713862624.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783601146.0000017A60450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: dipwo1iToJ.exe, 00000001.00000002.1785801228.0000017A61510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: dipwo1iToJ.exe, 00000001.00000002.1785999287.0000017A61630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.comr
Source: dipwo1iToJ.exe, 00000001.00000002.1783601146.0000017A60478000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60D81000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60BB5000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60D81000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60BB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gql.twitch.tv/gql
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: dipwo1iToJ.exe, 00000001.00000002.1786135596.0000017A61780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: METADATA0.0.dr	String found in binary or memory: https://hynek.me/articles/import-attrs/)
Source: dipwo1iToJ.exe, 00000001.00000002.1785418273.0000017A61310000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://i.instagram.com/api/v1/accounts/current_user/?edit=true
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.instagram.com/api/v1/accounts/current_user/?edit=trueTr
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://i.instagram.com/api/v1/users/
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.instagram.com/api/v1/users/r
Source: METADATA.0.dr	String found in binary or memory: https://img.shields.io/badge/skeleton-2024-informational
Source: METADATA.0.dr	String found in binary or memory: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/charliermarsh/ruff/main/assets
Source: METADATA.0.dr	String found in binary or memory: https://img.shields.io/pypi/pyversions/importlib_metadata.svg
Source: METADATA.0.dr	String found in binary or memory: https://img.shields.io/pypi/v/importlib_metadata.svg
Source: METADATA.0.dr	String found in binary or memory: https://importlib-metadata.readthedocs.io/
Source: METADATA.0.dr	String found in binary or memory: https://importlib-metadata.readthedocs.io/en/latest/?badge=latest
Source: dipwo1iToJ.exe, 00000001.00000002.1784874976.0000017A60ED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://instagram.com
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://instagram.com/
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://inventory.roblox.com/v1/users/
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inventory.roblox.com/v1/users/z4/assets/collectibles?sortOrder=Asc&limit=100&cursor=
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/json
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/jsonu
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60D81000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60BB5000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: METADATA0.0.dr	String found in binary or memory: https://klaviyo.com/
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://krakenfiles.com/api/v1/file/upload
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://krakenfiles.com/api/v1/file/uploadr
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://leagueoflegends.com
Source: dipwo1iToJ.exe, 00000001.00000003.1722665071.0000017A60BFD000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60BB5000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1722333865.0000017A60C1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: dipwo1iToJ.exe, 00000001.00000002.1786607711.0000017A61B7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://oauth.reddit.com/api/v1/me
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oauth.reddit.com/api/v1/mez&android:com.example.myredditapp:v1.2.3z
Source: dipwo1iToJ.exe, 00000001.00000002.1785418273.0000017A61310000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/guides/packaging-namespace-packages/.
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/
Source: dipwo1iToJ.exe, 00000001.00000002.1785418273.0000017A61310000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/
Source: dipwo1iToJ.exe, 00000001.00000002.1785418273.0000017A61310000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/All
Source: dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A606CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/pyproject-toml/#declaring-project-metadata-the
Source: dipwo1iToJ.exe, 00000001.00000002.1785418273.0000017A61310000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paypal.com
Source: dipwo1iToJ.exe, 00000001.00000002.1784148989.0000017A609A0000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1716236294.0000017A6068F000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://peps.python.org/pep-0205/
Source: dipwo1iToJ.exe, 00000001.00000002.1797680341.00007FFDFB5F4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: METADATA0.0.dr	String found in binary or memory: https://peps.python.org/pep-0649/)
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0685/
Source: METADATA0.0.dr	String found in binary or memory: https://peps.python.org/pep-0749/)-implementing
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://playstation.com
Source: METADATA0.0.dr	String found in binary or memory: https://pypi.org/project/attrs/)
Source: dipwo1iToJ.exe, 00000001.00000002.1785418273.0000017A61310000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1785102451.0000017A610F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/build/).
Source: METADATA.0.dr	String found in binary or memory: https://pypi.org/project/importlib_metadata
Source: METADATA2.0.dr	String found in binary or memory: https://pypi.org/project/setuptools/
Source: METADATA0.0.dr	String found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/docs/_static/attrs_logo.svg
Source: METADATA.0.dr	String found in binary or memory: https://readthedocs.org/projects/importlib-metadata/badge/?version=latest
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reddit.com
Source: dipwo1iToJ.exe, 00000001.00000002.1784965590.0000017A60FF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C42000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786135596.0000017A61780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: dipwo1iToJ.exe, 00000001.00000002.1786135596.0000017A61780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.ioe
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riotgames.com
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://s.optifine.net/capes/
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.optifine.net/capes/z
Source: dipwo1iToJ.exe, 00000001.00000002.1785418273.0000017A61310000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/
Source: dipwo1iToJ.exe, 00000001.00000003.1714086462.0000017A6080D000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1714340744.0000017A60782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html
Source: dipwo1iToJ.exe, 00000001.00000003.1714086462.0000017A607BE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1717435682.0000017A60737000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1716236294.0000017A60737000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1714727421.0000017A60779000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1714304132.0000017A607AE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1714086462.0000017A6080D000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1718401236.0000017A60737000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1720406212.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1719042544.0000017A60737000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1722143244.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: dipwo1iToJ.exe, 00000001.00000002.1784071137.0000017A608A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages
Source: dipwo1iToJ.exe, 00000001.00000003.1714086462.0000017A607BE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1714086462.0000017A6080D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr:
Source: dipwo1iToJ.exe, 00000001.00000003.1714086462.0000017A607BE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1714086462.0000017A6080D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr:r;Nr
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skype.com
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spotify.com
Source: dipwo1iToJ.exe, 00000001.00000002.1787515881.0000017A62710000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: METADATA0.0.dr	String found in binary or memory: https://stackoverflow.com/questions/tagged/python-attrs)
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/blxstealer
Source: METADATA0.0.dr	String found in binary or memory: https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek
Source: METADATA0.0.dr	String found in binary or memory: https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek).
Source: METADATA.0.dr	String found in binary or memory: https://tidelift.com/badges/package/pypi/importlib-metadata
Source: METADATA0.0.dr	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi
Source: METADATA.0.dr	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-importlib-metadata?utm_source=pypi-importlib-metadata&utm
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tiktok.com
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiktok.comr
Source: dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A61A00000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784723256.0000017A60E9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A61B3A000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A619AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitch.tv
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/home
Source: dipwo1iToJ.exe, 00000001.00000002.1785418273.0000017A61310000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/i/api/1.1/account/update_profile.json
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/i/api/1.1/account/update_profile.jsonTr
Source: dipwo1iToJ.exe, 00000001.00000002.1785418273.0000017A61310000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/i/api/1.1/account/update_profile.jsonc
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/r
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uguu.se/api.p
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://uguu.se/api.php?d=upload
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uguu.se/api.php?d=uploadr
Source: dipwo1iToJ.exe, 00000001.00000002.1785999287.0000017A61630000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: dipwo1iToJ.exe, 00000001.00000002.1785801228.0000017A61510000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://users.roblox.com/v1/users/
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://users.roblox.com/v1/users/r
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://webcast.tiktok.com/webcast/wallet_api/diamond_buy/permission/?aid=1988
Source: METADATA2.0.dr	String found in binary or memory: https://wheel.readthedocs.io/
Source: METADATA2.0.dr	String found in binary or memory: https://wheel.readthedocs.io/en/stable/news.html
Source: dipwo1iToJ.exe, 00000001.00000002.1783601146.0000017A60478000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1720054100.0000017A60C27000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1719700729.0000017A60BBD000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1719700729.0000017A60C0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz
Source: LICENSE.APACHE.0.dr	String found in binary or memory: https://www.apache.org/licenses/
Source: LICENSE.APACHE.0.dr	String found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: METADATA0.0.dr	String found in binary or memory: https://www.attrs.org/
Source: METADATA0.0.dr	String found in binary or memory: https://www.attrs.org/)
Source: METADATA0.0.dr	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/
Source: METADATA0.0.dr	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/FilePreviews.svg
Source: METADATA0.0.dr	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Klaviyo.svg
Source: METADATA0.0.dr	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Tidelift.svg
Source: METADATA0.0.dr	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Variomedia.svg
Source: METADATA0.0.dr	String found in binary or memory: https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).
Source: METADATA0.0.dr	String found in binary or memory: https://www.attrs.org/en/latest/names.html)
Source: METADATA0.0.dr	String found in binary or memory: https://www.attrs.org/en/stable/changelog.html
Source: METADATA0.0.dr	String found in binary or memory: https://www.attrs.org/en/stable/changelog.html)
Source: METADATA0.0.dr	String found in binary or memory: https://www.attrs.org/en/stable/comparison.html#customization)
Source: METADATA0.0.dr	String found in binary or memory: https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization)
Source: METADATA0.0.dr	String found in binary or memory: https://www.attrs.org/en/stable/why.html#data-classes)
Source: dipwo1iToJ.exe, 00000001.00000002.1783520183.0000017A60350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/3clo0b3x6nfajqm27kvx6/exodus.asar?rlkey=200tiyus0rc0u3u4j9kf517l0&st=
Source: dipwo1iToJ.exe, 00000001.00000002.1783520183.0000017A60350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/xtt2n593d5n4svefktjhy/atomic.asar?rlkey=5refutaevle4aapp0p6hgn7q1&st=
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.guilded.gg/api/me
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.guilded.gg/api/mez
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60D81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: dipwo1iToJ.exe, 00000001.00000002.1793601128.00007FFDFACE0000.00000002.00000001.01000000.00000013.sdmp, dipwo1iToJ.exe, 00000001.00000002.1797375803.00007FFDFB1D3000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: dipwo1iToJ.exe, 00000001.00000002.1785418273.0000017A61310000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.patreon.com/api/current_user?include=connected_socials%2Ccampaign.connected_socials&json
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: dipwo1iToJ.exe, 00000001.00000003.1722665071.0000017A60BFD000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60BB5000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1722333865.0000017A60C1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: METADATA2.0.dr	String found in binary or memory: https://www.python.org/dev/peps/pep-0427/
Source: dipwo1iToJ.exe, 00000001.00000003.1712023062.0000017A604FC000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1711892136.0000017A604A7000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1711892136.0000017A604F5000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783399636.0000017A60100000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/ftp/python/3.12.6/python-3.12.6-amd64.exe
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/ftp/python/3.12.6/python-3.12.6-amd64.exez
Source: dipwo1iToJ.exe, 00000001.00000002.1798106922.00007FFDFB764000.00000008.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: dipwo1iToJ.exe, 00000001.00000002.1797680341.00007FFDFB5F4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/user/
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60BB5000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784723256.0000017A60E63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.roblox.com/mobileapi/userinfo
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.roblox.com/mobileapi/userinfor
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spotify.com/api/account-settings/v1/profile
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.spotify.com/api/account-settings/v1/profilez7https://www.spotify.com/eg-en/api/account/v
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.spotify.com/eg-en/api/account/v1/datalayer/
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/api/user/list/?count=1&minCursor=0&scene=67&secUid=
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/passport/web/account/info/
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/passport/web/account/info/zNhttps://webcast.tiktok.com/webcast/wallet_api/dia
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.twitch.tv/
Source: METADATA0.0.dr	String found in binary or memory: https://www.variomedia.de/
Source: dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xbox.com
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xbox.comz
Source: dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60D81000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60BB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com)

Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FE0938	0_2_00007FF6F8FE0938
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FE69D4	0_2_00007FF6F8FE69D4
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FE5C70	0_2_00007FF6F8FE5C70
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FC8BD0	0_2_00007FF6F8FC8BD0
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FC1000	0_2_00007FF6F8FC1000
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FDDACC	0_2_00007FF6F8FDDACC
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FD8154	0_2_00007FF6F8FD8154
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FD19B4	0_2_00007FF6F8FD19B4
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FD21D4	0_2_00007FF6F8FD21D4
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FD3A14	0_2_00007FF6F8FD3A14
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FD2C80	0_2_00007FF6F8FD2C80
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FE3C80	0_2_00007FF6F8FE3C80
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FE0938	0_2_00007FF6F8FE0938
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FE6488	0_2_00007FF6F8FE6488
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FCA4E4	0_2_00007FF6F8FCA4E4
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FCAD1D	0_2_00007FF6F8FCAD1D
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FCA34B	0_2_00007FF6F8FCA34B
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FD1BC0	0_2_00007FF6F8FD1BC0
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FE5EEC	0_2_00007FF6F8FE5EEC
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FD9F10	0_2_00007FF6F8FD9F10
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FD5DA0	0_2_00007FF6F8FD5DA0
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FD1DC4	0_2_00007FF6F8FD1DC4
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FDE5E0	0_2_00007FF6F8FDE5E0
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FD3610	0_2_00007FF6F8FD3610
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FC9870	0_2_00007FF6F8FC9870
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FE18E4	0_2_00007FF6F8FE18E4
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FE411C	0_2_00007FF6F8FE411C
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FDDF60	0_2_00007FF6F8FDDF60
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FE9798	0_2_00007FF6F8FE9798
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FD17B0	0_2_00007FF6F8FD17B0
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FD1FD0	0_2_00007FF6F8FD1FD0
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FD8804	0_2_00007FF6F8FD8804
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 1_2_00007FFDFA9912F0	1_2_00007FFDFA9912F0
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 1_2_00007FFDFA9918A0	1_2_00007FFDFA9918A0
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 1_2_00007FFDFAB44AB0	1_2_00007FFDFAB44AB0
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 1_2_00007FFDFAB29A70	1_2_00007FFDFAB29A70
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 1_2_00007FFDFAB11A80	1_2_00007FFDFAB11A80
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 1_2_00007FFDFAABAAB0	1_2_00007FFDFAABAAB0
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 1_2_00007FFDFAB36BE0	1_2_00007FFDFAB36BE0
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 1_2_00007FFDFAACBB70	1_2_00007FFDFAACBB70
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 1_2_00007FFDFAB62B90	1_2_00007FFDFAB62B90
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 1_2_00007FFDFAAB6948	1_2_00007FFDFAAB6948

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

Code function: String function: 00007FF6F8FC2710 appears 52 times

Source: _overlapped.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: python3.dll.0.dr

Static PE information: No import functions for PE file found

Source: dipwo1iToJ.exe, 00000000.00000003.1685437325.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000000.00000003.1685593932.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000000.00000003.1684977147.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000000.00000003.1685298094.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe	Binary or memory string: OriginalFilename vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1804715294.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1803520712.00007FFE1150E000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1802401027.00007FFE0EB3B000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1802694137.00007FFE0EB69000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1804339715.00007FFE11EEC000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1793601128.00007FFDFACE0000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilenamelibsslH vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1803357473.00007FFE110F4000.00000002.00000001.01000000.00000023.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1799878580.00007FFE00022000.00000002.00000001.01000000.00000027.sdmp	Binary or memory string: OriginalFilenamepywintypes312.dll0 vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1804436334.00007FFE120CB000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1804827969.00007FFE13227000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1797375803.00007FFDFB1D3000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1804527886.00007FFE12E16000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1802983777.00007FFE1025D000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1803233447.00007FFE11079000.00000002.00000001.01000000.00000028.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1792149222.00007FFDFAC10000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1804228698.00007FFE11EC2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1803143210.00007FFE10313000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1800009311.00007FFE00751000.00000002.00000001.01000000.00000026.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1798405140.00007FFDFB88D000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython312.dll. vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1802798048.00007FFE101DF000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1804622462.00007FFE130C7000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilename_wmi.pyd. vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1803635745.00007FFE11545000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs dipwo1iToJ.exe
Source: dipwo1iToJ.exe, 00000001.00000002.1783720389.0000017A60550000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs dipwo1iToJ.exe

Source: classification engine

Classification label: mal52.troj.winEXE@3/109@0/2

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI68642

Jump to behavior

Source: dipwo1iToJ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dipwo1iToJ.exe, 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: dipwo1iToJ.exe, 00000001.00000002.1785216227.0000017A61210000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT item1, item2 FROM metadata;
Source: dipwo1iToJ.exe, 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: dipwo1iToJ.exe, 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: dipwo1iToJ.exe, 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: dipwo1iToJ.exe, dipwo1iToJ.exe, 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: dipwo1iToJ.exe, 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT a11, a102 FROM nssPrivate WHERE a102 = ?;
Source: dipwo1iToJ.exe, 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: dipwo1iToJ.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

File read: C:\Users\user\Desktop\dipwo1iToJ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dipwo1iToJ.exe "C:\Users\user\Desktop\dipwo1iToJ.exe"
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Process created: C:\Users\user\Desktop\dipwo1iToJ.exe "C:\Users\user\Desktop\dipwo1iToJ.exe"
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Process created: C:\Users\user\Desktop\dipwo1iToJ.exe "C:\Users\user\Desktop\dipwo1iToJ.exe"	Jump to behavior

Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: pywintypes312.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: dipwo1iToJ.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: dipwo1iToJ.exe

Static file information: File size 18082384 > 1048576

Source: dipwo1iToJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dipwo1iToJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dipwo1iToJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dipwo1iToJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dipwo1iToJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dipwo1iToJ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: dipwo1iToJ.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: dipwo1iToJ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: dipwo1iToJ.exe, 00000001.00000002.1797680341.00007FFDFB5F4000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: dipwo1iToJ.exe, 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: cryptography_rust.pdbc source: dipwo1iToJ.exe, 00000001.00000002.1789007887.00007FFDFA7AA000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: dipwo1iToJ.exe, 00000001.00000002.1796919404.00007FFDFB092000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: _decimal.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: dipwo1iToJ.exe, 00000001.00000002.1796919404.00007FFDFB092000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: crypto\bn\bn_ctx.cBN_CTX_startBN_CTX_getossl_ec_group_new_excrypto\ec\ec_lib.cEC_GROUP_copyEC_GROUP_set_generatorEC_GROUP_set_curveEC_GROUP_get_curveEC_GROUP_get_degreeEC_GROUP_check_discriminantEC_POINT_newEC_POINT_copyEC_POINT_set_to_infinityEC_POINT_set_Jprojective_coordinates_GFpEC_POINT_set_affine_coordinatesEC_POINT_get_affine_coordinatesEC_POINT_addEC_POINT_dblEC_POINT_invertEC_POINT_is_at_infinityEC_POINT_is_on_curveEC_POINT_cmpEC_POINT_mulEC_GROUP_get_trinomial_basisEC_GROUP_get_pentanomial_basisgroup_new_from_nameossl_ec_group_set_paramsencodingdecoded-from-explicitEC_GROUP_new_from_paramsgeneratorcrypto\evp\digest.cevp_md_ctx_new_exevp_md_ctx_free_algctxevp_md_init_internalEVP_DigestUpdatesizeEVP_DigestFinal_exassertion failed: mdsize <= EVP_MAX_MD_SIZEEVP_DigestFinalXOFxoflenEVP_MD_CTX_copy_exEVP_MD_CTX_ctrlmicalgssl3-msblocksizexofalgid-absentevp_md_from_algorithmupdatecrypto\evp\m_sigver.cUNDEFdo_sigver_initEVP_DigestSignUpdateEVP_DigestVerifyUpdateEVP_DigestSignFinalEVP_DigestSignEVP_DigestVerifyFinalEVP_DigestVerifycompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.3.2built on: Fri Oct 18 00:15:00 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: dipwo1iToJ.exe, 00000001.00000002.1789007887.00007FFDFA7AA000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: dipwo1iToJ.exe, 00000001.00000002.1804397735.00007FFE120C6000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescrypto\engine\tb_digest.cENGINE_get_digestcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: dipwo1iToJ.exe, 00000001.00000002.1789007887.00007FFDFA7AA000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: dipwo1iToJ.exe, 00000000.00000003.1684977147.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1804789057.00007FFE13221000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: dipwo1iToJ.exe, 00000000.00000003.1684977147.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1804789057.00007FFE13221000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: dipwo1iToJ.exe, 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\pywintypes.pdb source: dipwo1iToJ.exe, 00000001.00000002.1799830423.00007FFE00011000.00000002.00000001.01000000.00000027.sdmp, pywintypes312.dll.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\pywintypes.pdb** source: dipwo1iToJ.exe, 00000001.00000002.1799830423.00007FFE00011000.00000002.00000001.01000000.00000027.sdmp, pywintypes312.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: _multiprocessing.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: dipwo1iToJ.exe, 00000001.00000002.1789007887.00007FFDFA7AA000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: dipwo1iToJ.exe, 00000000.00000003.1685298094.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1803196864.00007FFE11075000.00000002.00000001.01000000.00000028.sdmp, VCRUNTIME140_1.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: dipwo1iToJ.exe, 00000001.00000002.1804676413.00007FFE13203000.00000002.00000001.01000000.0000000E.sdmp, select.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: dipwo1iToJ.exe, 00000001.00000002.1804294901.00007FFE11EE1000.00000002.00000001.01000000.00000007.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: dipwo1iToJ.exe, 00000001.00000002.1803442290.00007FFE11507000.00000002.00000001.01000000.0000000B.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: _decimal.pyd.0.dr
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: dipwo1iToJ.exe, 00000001.00000002.1793377703.00007FFDFACA5000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: dipwo1iToJ.exe, 00000001.00000002.1803578810.00007FFE1153C000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: dipwo1iToJ.exe, 00000001.00000002.1803322459.00007FFE110F2000.00000002.00000001.01000000.00000023.sdmp, _uuid.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: dipwo1iToJ.exe, 00000000.00000003.1685437325.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1802758529.00007FFE101D8000.00000002.00000001.01000000.00000014.sdmp, _asyncio.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: dipwo1iToJ.exe, 00000001.00000002.1802907428.00007FFE10252000.00000002.00000001.01000000.00000010.sdmp, pyexpat.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: dipwo1iToJ.exe, 00000001.00000002.1804490140.00007FFE12E13000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: dipwo1iToJ.exe, 00000001.00000002.1803578810.00007FFE1153C000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: dipwo1iToJ.exe, 00000000.00000003.1685593932.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1804189678.00007FFE11EBD000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: dipwo1iToJ.exe, 00000001.00000002.1804584285.00007FFE130C4000.00000002.00000001.01000000.0000000F.sdmp, _wmi.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\win32api.pdb!! source: dipwo1iToJ.exe, 00000001.00000002.1799958060.00007FFE00743000.00000002.00000001.01000000.00000026.sdmp, win32api.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-312\Release\win32api.pdb source: dipwo1iToJ.exe, 00000001.00000002.1799958060.00007FFE00743000.00000002.00000001.01000000.00000026.sdmp, win32api.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: dipwo1iToJ.exe, 00000001.00000002.1803074322.00007FFE10309000.00000002.00000001.01000000.0000000D.sdmp, _socket.pyd.0.dr
Source:	Binary string: cryptography_rust.pdb source: dipwo1iToJ.exe, 00000001.00000002.1789007887.00007FFDFA7AA000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: dipwo1iToJ.exe, 00000001.00000002.1804584285.00007FFE130C4000.00000002.00000001.01000000.0000000F.sdmp, _wmi.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: dipwo1iToJ.exe, 00000001.00000002.1802335498.00007FFE0EB2F000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: dipwo1iToJ.exe, 00000001.00000002.1783720389.0000017A60550000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: dipwo1iToJ.exe, 00000000.00000003.1685298094.000001ECBC747000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1803196864.00007FFE11075000.00000002.00000001.01000000.00000028.sdmp, VCRUNTIME140_1.dll.0.dr
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: dipwo1iToJ.exe, 00000001.00000002.1793377703.00007FFDFACA5000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: dipwo1iToJ.exe, 00000001.00000002.1802493358.00007FFE0EB4D000.00000002.00000001.01000000.00000012.sdmp, _ssl.pyd.0.dr

Source: dipwo1iToJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dipwo1iToJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dipwo1iToJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dipwo1iToJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dipwo1iToJ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: python312.dll.0.dr	Static PE information: section name: PyRuntim
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libcrypto-3.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.0.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\aiohttp\_http_parser.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\charset_normalizer\md__mypyc.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\aiohttp\_websocket\mask.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\aiohttp\_websocket\reader_c.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\pywin32_system32\pywintypes312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\aiohttp\_http_writer.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_cffi_backend.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\multidict\_multidict.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\yarl\_quoting_c.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\propcache\_helpers_c.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\frozenlist\_frozenlist.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\charset_normalizer\md.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt

Jump to behavior

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

Code function: 0_2_00007FF6F8FC76B0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF6F8FC76B0

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\aiohttp\_http_parser.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\charset_normalizer\md__mypyc.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\aiohttp\_websocket\mask.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\aiohttp\_websocket\reader_c.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\aiohttp\_http_writer.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\multidict\_multidict.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_cffi_backend.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\yarl\_quoting_c.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\propcache\_helpers_c.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\frozenlist\_frozenlist.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\charset_normalizer\md.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-17460

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

API coverage: 0.5 %

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor

Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FC92F0 FindFirstFileExW,FindClose,	0_2_00007FF6F8FC92F0
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FC83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF6F8FC83B0
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FE18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6F8FE18E4

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

Code function: 1_2_00007FFDFAAC0180 GetSystemInfo,

1_2_00007FFDFAAC0180

Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware
Source: cacert.pem.0.dr	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: dqemu-ga
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Rfvmwaretray
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: dipwo1iToJ.exe, 00000001.00000002.1783601146.0000017A60478000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWz
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: *fqemu
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmmouse.sysz
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareuserz
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: +]fvmwareuser
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fvmware
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Yfvmusrvc
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fvboxservice
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Tools
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmhgfs.sysr
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fvboxtray
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fvmtoolsd
Source: cacert.pem.0.dr	Binary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fvmsrvc
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fVMware
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: dvmhgfs.sys
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmhgfs.sys
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwarez
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: dVMware Tools
Source: dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmmouse.sys
Source: dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: dvmmouse.sys

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

Code function: 0_2_00007FF6F8FCD19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6F8FCD19C

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

Code function: 0_2_00007FF6F8FE34F0 GetProcessHeap,

0_2_00007FF6F8FE34F0

Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FCD19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6F8FCD19C
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FCD37C SetUnhandledExceptionFilter,	0_2_00007FF6F8FCD37C
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FDA684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6F8FDA684
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 0_2_00007FF6F8FCC910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6F8FCC910
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 1_2_00007FFDFA993068 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFDFA993068
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 1_2_00007FFDFA992AA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFDFA992AA0
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Code function: 1_2_00007FFDFABDCAF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFDFABDCAF0

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

Process created: C:\Users\user\Desktop\dipwo1iToJ.exe "C:\Users\user\Desktop\dipwo1iToJ.exe"

Jump to behavior

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

Code function: 0_2_00007FF6F8FE95E0 cpuid

0_2_00007FF6F8FE95E0

Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\aiohttp\_websocket VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\attrs-24.2.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\attrs-24.2.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\attrs-24.2.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\attrs-24.2.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\cryptography-43.0.3.dist-info\license_files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\_wmi.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\jaraco VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\jaraco\text\Lorem ipsum.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\jaraco\text\Lorem ipsum.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\_asyncio.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\_overlapped.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\Desktop\dipwo1iToJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dipwo1iToJ.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68642 VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

Code function: 0_2_00007FF6F8FCD080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6F8FCD080

Source: C:\Users\user\Desktop\dipwo1iToJ.exe

Code function: 0_2_00007FF6F8FE5C70 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF6F8FE5C70

Stealing of Sensitive Information

Yara detected Generic Python Stealer

Source: Yara match

File source: Process Memory Space: dipwo1iToJ.exe PID: 792, type: MEMORYSTR

Remote Access Functionality

Yara detected Generic Python Stealer

Source: Yara match

File source: Process Memory Space: dipwo1iToJ.exe PID: 792, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	25 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
dipwo1iToJ.exe	53%	ReversingLabs	Win64.Trojan.Generic

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_curve25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_curve448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_ed25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_ed448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_cffi_backend.cp312-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_multiprocessing.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_overlapped.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_uuid.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\_wmi.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68642\aiohttp\_http_parser.cp312-win_amd64.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
https://www.attrs.org/en/stable/why.html#data-classes)	0%	Avira URL Cloud	safe
https://api.namemc.com/profile/	0%	Avira URL Cloud	safe
http://repository.swisssign.com/0	0%	Avira URL Cloud	safe
https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek).	0%	Avira URL Cloud	safe
https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file	0%	Avira URL Cloud	safe
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	0%	Avira URL Cloud	safe
https://tiktok.comr	0%	Avira URL Cloud	safe
https://filepreviews.io/	0%	Avira URL Cloud	safe
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr:	0%	Avira URL Cloud	safe
https://wwww.certigna.fr/autorites/0m	0%	Avira URL Cloud	safe
http://163.5.242.208/7236785358_chat.txtPn	0%	Avira URL Cloud	safe
http://163.5.242.208/7236785358_chat.txt	0%	Avira URL Cloud	safe
https://xbox.comz	0%	Avira URL Cloud	safe
https://uguu.se/api.php?d=uploadr	0%	Avira URL Cloud	safe
https://www.variomedia.de/	0%	Avira URL Cloud	safe
https://www.attrs.org/en/stable/changelog.html	0%	Avira URL Cloud	safe
https://www.attrs.org/	0%	Avira URL Cloud	safe
http://www.accv.es00	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://163.5.242.208/7236785358_chat.txt	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://account.riotgames.com/api/account/v1/user	dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues/8996	dipwo1iToJ.exe, 00000001.00000002.1789007887.00007FFDFA7AA000.00000002.00000001.01000000.00000029.sdmp	false		high
https://github.com/astral-sh/ruff	METADATA.0.dr	false		high
https://github.com/giampaolo/psutil/issues/875.	dipwo1iToJ.exe, 00000001.00000002.1787515881.0000017A62710000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python-attrs/attrs/issues/251	dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A606CD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages	dipwo1iToJ.exe, 00000001.00000002.1784071137.0000017A608A0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/actions/workflows/main.yml/badge.svg	METADATA.0.dr	false		high
https://github.com/aio-libs/aiohttp/discussions/6044	dipwo1iToJ.exe, 00000001.00000002.1787439688.0000017A622D0000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786607711.0000017A61B7E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/issues	METADATA.0.dr	false		high
https://paypal.com	dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/0	dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60D81000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://python.org	dipwo1iToJ.exe, 00000001.00000002.1786135596.0000017A61780000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	dipwo1iToJ.exe, 00000001.00000002.1783280394.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710250517.0000017A6045F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1717300666.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710274832.0000017A60456000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1713302317.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1712793220.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1713862624.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783601146.0000017A60450000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wheel.readthedocs.io/en/stable/news.html	METADATA2.0.dr	false		high
https://github.com/sponsors/hynek	METADATA0.0.dr	false		high
https://oauth.reddit.com/api/v1/me	dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ipinfo.io/jsonu	dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://importlib-metadata.readthedocs.io/	METADATA.0.dr	false		high
https://store.steampowered.com	dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://goo.gl/zeJZl.	dipwo1iToJ.exe, 00000001.00000002.1787439688.0000017A622D0000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784723256.0000017A60E9F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/LICENSE-2.0	LICENSE.APACHE.0.dr	false		high
https://ebay.com	dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/core-metadata/	dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	false		high
https://epicgames.com	dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	dipwo1iToJ.exe, 00000001.00000003.1719042544.0000017A60817000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1718206364.0000017A60815000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1715349063.0000017A60815000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A6084A000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1720080418.0000017A60817000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1719985872.0000017A60815000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1715319594.0000017A60823000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1716039388.0000017A6081F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1727487193.0000017A607FA000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1720015694.0000017A6081B000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1721263504.0000017A60812000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/packaging	dipwo1iToJ.exe, 00000001.00000002.1784874976.0000017A60ED0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.dropbox.com/scl/fi/3clo0b3x6nfajqm27kvx6/exodus.asar?rlkey=200tiyus0rc0u3u4j9kf517l0&st=	dipwo1iToJ.exe, 00000001.00000002.1783520183.0000017A60350000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek).	METADATA0.0.dr	false	Avira URL Cloud: safe	unknown
https://readthedocs.org/projects/importlib-metadata/badge/?version=latest	METADATA.0.dr	false		high
https://refspecs.linuxfoundation.org/elf/gabi4	dipwo1iToJ.exe, 00000001.00000002.1784965590.0000017A60FF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.roblox.com/mobileapi/userinfor	dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.namemc.com/profile/	dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/users/	dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/json	dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	false		high
https://youtube.com)	dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://blog.jaraco.com/skeleton	METADATA.0.dr	false		high
https://github.com/python-attrs/attrs/issues/136	dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A619AE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc3610	dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A61A00000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784723256.0000017A60E9F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/platformdirs/platformdirs	dipwo1iToJ.exe, 00000001.00000002.1784965590.0000017A60FF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curl.haxx.se/rfc/cookie_spec.html	dipwo1iToJ.exe, 00000001.00000002.1785999287.0000017A61630000.00000004.00001000.00020000.00000000.sdmp	false		high
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md	METADATA2.0.dr	false		high
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr:	dipwo1iToJ.exe, 00000001.00000003.1714086462.0000017A607BE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1714086462.0000017A6080D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://catbox.moe/user/api.php	dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	dipwo1iToJ.exe, 00000001.00000003.1710250517.0000017A6045F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710274832.0000017A60456000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783399636.0000017A60100000.00000004.00001000.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	dipwo1iToJ.exe, 00000001.00000002.1785999287.0000017A61630000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/python-attrs/attrs/issues/1330)	METADATA0.0.dr	false		high
https://catbox.moe/user/api.phpr	dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pypi.org/project/build/).	dipwo1iToJ.exe, 00000001.00000002.1785418273.0000017A61310000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1785102451.0000017A610F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.3	dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tiktok.comr	dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2	dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786135596.0000017A61780000.00000004.00001000.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pypa/wheel	METADATA2.0.dr	false		high
https://www.python.org/dev/peps/pep-0427/	METADATA2.0.dr	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	dipwo1iToJ.exe, 00000001.00000002.1783280394.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710250517.0000017A6045F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1717300666.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710274832.0000017A60456000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1713302317.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1712793220.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1713862624.0000017A5E940000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783601146.0000017A60450000.00000004.00000020.00020000.00000000.sdmp	false		high
https://instagram.com	dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	dipwo1iToJ.exe, 00000001.00000003.1717435682.0000017A60737000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1716973785.0000017A60AD1000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1716973785.0000017A60B31000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1715983243.0000017A60B31000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1718401236.0000017A60737000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1720406212.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1719042544.0000017A60737000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1722143244.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A61A00000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1787439688.0000017A622D0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/	dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/	LICENSE.APACHE.0.dr	false		high
https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file	dipwo1iToJ.exe, 00000001.00000002.1789007887.00007FFDFA7AA000.00000002.00000001.01000000.00000029.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	dipwo1iToJ.exe, 00000001.00000003.1710250517.0000017A6045F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710274832.0000017A60456000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783520183.0000017A60350000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	dipwo1iToJ.exe, 00000001.00000003.1710250517.0000017A6045F000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1710274832.0000017A60456000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1783520183.0000017A60350000.00000004.00001000.00020000.00000000.sdmp	false		high
https://filepreviews.io/	METADATA0.0.dr	false	Avira URL Cloud: safe	unknown
https://discord.gg/r	dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://twitch.tv	dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.attrs.org/en/stable/why.html#data-classes)	METADATA0.0.dr	false	Avira URL Cloud: safe	unknown
https://img.shields.io/badge/skeleton-2024-informational	METADATA.0.dr	false		high
https://packaging.python.org/en/latest/specifications/pyproject-toml/#declaring-project-metadata-the	dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A606CD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60D81000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/LuvN	dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://xbox.comz	dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pypa/setuptools/issues/417#issuecomment-392298401	dipwo1iToJ.exe, 00000001.00000002.1785102451.0000017A610F0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618A8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618A8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	dipwo1iToJ.exe, 00000001.00000002.1785999287.0000017A61630000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.attrs.org/en/stable/changelog.html	METADATA0.0.dr	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v6/guilds/	dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	false		high
http://163.5.242.208/7236785358_chat.txtPn	dipwo1iToJ.exe, 00000001.00000002.1787594884.0000017A628F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/jsonr	dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://uguu.se/api.php?d=uploadr	dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.variomedia.de/	METADATA0.0.dr	false	Avira URL Cloud: safe	unknown
http://www.cert.fnmt.es/dpcs/	dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60D81000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail	dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60D81000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60BB5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/pypi/v/importlib_metadata.svg	METADATA.0.dr	false		high
https://github.com/jaraco/jaraco.functools/issues/5	dipwo1iToJ.exe, 00000001.00000002.1784965590.0000017A60FF0000.00000004.00001000.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1720406212.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1722143244.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es00	dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618FE000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1786218480.0000017A618A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rfc-editor.org/info/rfc7253	dipwo1iToJ.exe, 00000001.00000002.1786434698.0000017A61B3A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues	dipwo1iToJ.exe, 00000001.00000002.1789007887.00007FFDFA7AA000.00000002.00000001.01000000.00000029.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60C65000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.attrs.org/	METADATA0.0.dr	false	Avira URL Cloud: safe	unknown
https://mahler:8092/site-updates.py	dipwo1iToJ.exe, 00000001.00000003.1722665071.0000017A60BFD000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000002.1784330278.0000017A60BB5000.00000004.00000020.00020000.00000000.sdmp, dipwo1iToJ.exe, 00000001.00000003.1722333865.0000017A60C1D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i.instagram.com/api/v1/accounts/current_user/?edit=trueTr	dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc7231#section-4.3.6)	dipwo1iToJ.exe, 00000001.00000002.1783821326.0000017A6071E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://users.roblox.com/v1/users/r	dipwo1iToJ.exe, 00000001.00000003.1724114185.0000017A60DC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.gg/	dipwo1iToJ.exe, 00000001.00000002.1785618265.0000017A61410000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
163.5.242.208	unknown	France		56339	EPITECHFR	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1570259
Start date and time:	2024-12-06 17:44:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	dipwo1iToJ.exe renamed because original name is a hash value
Original Sample Name:	f40d72b602d086c3724048c5df9cc6f0.exe
Detection:	MAL
Classification:	mal52.troj.winEXE@3/109@0/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
VT rate limit hit for: dipwo1iToJ.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
EPITECHFR	105vjMVwfJ.dll	Get hash	malicious	CobaltStrike	Browse	163.5.169.26
	7RDTQuL8WF.exe	Get hash	malicious	CobaltStrike	Browse	163.5.169.26
	botx.spc.elf	Get hash	malicious	Mirai	Browse	163.5.176.64
	spc.elf	Get hash	malicious	Mirai	Browse	163.5.130.180
	m68k.elf	Get hash	malicious	Mirai	Browse	163.5.176.71
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	163.5.152.99
	SecuriteInfo.com.Win32.MalwareX-gen.20028.17631.exe	Get hash	malicious	AsyncRAT	Browse	163.5.160.86
	jNA5BK2z12.exe	Get hash	malicious	AsyncRAT	Browse	163.5.160.86
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	163.5.63.254
	https://zupimages.net/up/24/42/ol13.jpg?d6mSMvU0ZvpGwffnuqPHYMR7NvlxIzVjDfTD4YJjdRSCOcc	Get hash	malicious	Unknown	Browse	163.5.194.37

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_ARC4.pyd	ROh2ijuEpr.exe	Get hash	malicious	Babuk, Conti	Browse
	zed.exe	Get hash	malicious	Unknown	Browse
	back.ps1	Get hash	malicious	Unknown	Browse
	zed.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Python Stealer, Amadey, LummaC Stealer, Nymaim, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Cryptbot	Browse
	file.exe	Get hash	malicious	Amadey, XWorm	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	Payload.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_Salsa20.pyd	ROh2ijuEpr.exe	Get hash	malicious	Babuk, Conti	Browse
	zed.exe	Get hash	malicious	Unknown	Browse
	back.ps1	Get hash	malicious	Unknown	Browse
	zed.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Python Stealer, Amadey, LummaC Stealer, Nymaim, Stealc	Browse
	file.exe	Get hash	malicious	Python Stealer	Browse
	file.exe	Get hash	malicious	Python Stealer	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Cryptbot	Browse
	file.exe	Get hash	malicious	Amadey, XWorm	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_ARC4.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.640339306680604
Encrypted:	false
SSDEEP:	192:dLklddyTHThob0q/tJRrlDfNYSOcqgYCWt:ZgcdZq/JJD6gRWt
MD5:	BCD8CAAF9342AB891BB1D8DD45EF0098
SHA1:	EE7760BA0FF2548F25D764F000EFBB1332BE6D3E
SHA-256:	78725D2F55B7400A3FCAFECD35AF7AEB253FBC0FFCDF1903016EB0AABD1B4E50
SHA-512:	8B6FB53AECB514769985EBFDAB1B3C739024597D9C35905E04971D5422256546F7F169BF98F9BAF7D9F42A61CFF3EE7A20664989D3000773BF5EDA10CB3A0C24
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: ROh2ijuEpr.exe, Detection: malicious, Browse Filename: zed.exe, Detection: malicious, Browse Filename: back.ps1, Detection: malicious, Browse Filename: zed.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Payload.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...Y..f.........." ................P........................................p............`..........................................'......0(..d....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata..Z.... ......................@..@.data...H....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..(....`.......*..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_Salsa20.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.0194545642425075
Encrypted:	false
SSDEEP:	192:4t/1nCuqaL0kt7AznuRmceS4lDFhAlcqgcLg:F/k1ACln4lDogcLg
MD5:	F19CB847E567A31FAB97435536C7B783
SHA1:	4C8BFE404AF28C1781740E7767619A5E2D2FF2B7
SHA-256:	1ECE1DC94471D6977DBE2CEEBA3764ADF0625E2203D6257F7C781C619D2A3DAD
SHA-512:	382DC205F703FC3E1F072F17F58E321E1A65B86BE7D9D6B07F24A02A156308A7FEC9B1A621BA1F3428FD6BB413D14AE9ECB2A2C8DD62A7659776CFFDEBB6374C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: ROh2ijuEpr.exe, Detection: malicious, Browse Filename: zed.exe, Detection: malicious, Browse Filename: back.ps1, Detection: malicious, Browse Filename: zed.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...Z..f.........." ................P.....................................................`..........................................8......H9..d....`.......P..L............p..(....1...............................1..8............0...............................text...h........................... ..`.rdata..r....0......................@..@.data...H....@.......,..............@....pdata..L....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_chacha20.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.037456384995606
Encrypted:	false
SSDEEP:	192:st/1nCuqaL0ktPMn1ENe3erKr5br0YbsiDw6a9lkOcqgRGd:p/kpMIodrXbsiDS95gRGd
MD5:	DC14677EA8A8C933CC41F9CCF2BEDDC1
SHA1:	A6FB87E8F3540743097A467ABE0723247FDAF469
SHA-256:	68F081E96AE08617CF111B21EDED35C1774A5EF1223DF9A161C9445A78F25C73
SHA-512:	3ABA4CFCBBE4B350AB3230D488BD75186427E3AAAF38D19E0E1C7330F16795AD77FB6E26FF39AF29EAF4F5E8C42118CB680F90AFBFCA218AEDA64DC444675BA2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...Z..f.........." ................P.....................................................`......................................... 8.......8..d....`.......P..d............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..d....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..(....p.......2..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_pkcs1_decode.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.09191874780435
Encrypted:	false
SSDEEP:	192:rMVsiXeqVb0lIb0Pj5Jdfpm68WZDInU282tacqgYLg:rM7ali0Pj5JxCaDuUlgYLg
MD5:	C09BB8A30F0F733C81C5C5A3DAD8D76D
SHA1:	46FD3BA87A32D12F4EE14601D1AD73B78EDC81D1
SHA-256:	8A1B751DB47CE7B1D3BD10BEBFFC7442BE4CFB398E96E3B1FF7FB83C88A8953D
SHA-512:	691AC74FAE930E9CEABE782567EFB99C50DD9B8AD607DD7F99A5C7DF2FA2BEB7EDFE2EBB7095A72DA0AE24E688FBABD340EAE8B646D5B8C394FEE8DDD5E60D31
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^:.6?T.6?T.6?T.?G..2?T.dJU.4?T.}GU.5?T.6?U..?T.dJQ.<?T.dJP.>?T.dJW.5?T..J\.7?T..JT.7?T..J..7?T..JV.7?T.Rich6?T.........................PE..d...X..f.........." ................P.....................................................`.........................................`8.......8..d....`.......P..(............p..(....1...............................1..8............0...............................text............................... ..`.rdata..6....0....... ..............@..@.data...x....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_aes.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	6.541423493519083
Encrypted:	false
SSDEEP:	384:f/UlZA5PUEllvxL/7v/iKBt5ByU0xGitqzSEkxGG7+tpKHb/LZ7fr52EkifcMxme:klcR7JriEbwDaS4j990th9VDBV
MD5:	0AB25F99CDAACA6B11F2ECBE8223CAD5
SHA1:	7A881B3F84EF39D97A31283DE6D7B7AE85C8BAE6
SHA-256:	6CE8A60D1AB5ADC186E23E3DE864D7ADF6BDD37E3B0C591FA910763C5C26AF60
SHA-512:	11E89EEF34398DF3B144A0303E08B3A4CAF41A9A8CA618C18135F561731F285F8CF821D81179C2C45F6EEB0E496D9DD3ECF6FF202A3C453C80AFEF8582D06C17
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...V..f.........." .....H...H......P.....................................................`.........................................p...........d...............................0......................................8............`...............................text...xG.......H.................. ..`.rdata.."6...`...8...L..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_aesni.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.367749645917753
Encrypted:	false
SSDEEP:	192:YiJBj5fq/Rk0kPLhOZ3UucCWuSKPEkA2bD9JXx03cqg5YUMLgs:/k1kTMZEjCWNaA2DTx0g5YUMLg
MD5:	B6EA675C3A35CD6400A7ECF2FB9530D1
SHA1:	0E41751AA48108D7924B0A70A86031DDE799D7D6
SHA-256:	76EF4C1759B5553550AB652B84F8E158BA8F34F29FD090393815F06A1C1DC59D
SHA-512:	E31FD33E1ED6D4DA3957320250282CFD9EB3A64F12DE4BD2DFE3410F66725164D96B27CAA34C501D1A535A5A2442D5F070650FD3014B4B92624EE00F1C3F3197
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.z.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...V..f.........." ......... ......P.....................................................`..........................................9......$:..d....`.......P...............p..(....1...............................1..8............0.. ............................text............................... ..`.rdata.......0......."..............@..@.data...8....@.......2..............@....pdata.......P.......4..............@..@.rsrc........`.......8..............@..@.reloc..(....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_arc2.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.41148259289073
Encrypted:	false
SSDEEP:	192:w3d9FkHaz0EJvrj+CYuz7ucc9dG7otDr22KcqgOiewZjW:YkHEJzj+X6769lDzagO/w
MD5:	F14E1AA2590D621BE8C10321B2C43132
SHA1:	FD84D11619DFFDF82C563E45B48F82099D9E3130
SHA-256:	FCE70B3DAFB39C6A4DB85D2D662CB9EB9C4861AA648AD7436E7F65663345D177
SHA-512:	A86B9DF163007277D26F2F732ECAB9DBCA8E860F8B5809784F46702D4CEA198824FDEF6AB98BA7DDC281E8791C10EABA002ABDA6F975323B36D5967E0443C1E4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." ....."... ......P.....................................................`.........................................pI.......J..d....p.......`..................(....B...............................B..8............@...............................text...( .......".................. ..`.rdata..<....@.......&..............@..@.data...H....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..(............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_blowfish.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20992
Entropy (8bit):	6.041302713678401
Encrypted:	false
SSDEEP:	384:kUX0JfbRz5MLZA0nmwzMDYpJgLa0Mp8NDBcxgprAM:6NbRzWXwDqgLa1uBfP
MD5:	B127CAE435AEB8A2A37D2A1BC1C27282
SHA1:	2A7BF8BF7F24B2381370BA6B41FB640EE42BDCCD
SHA-256:	538B1253B5929254ED92129FA0957DB26CDDF34A8372BA0BF19D20D01549ADA3
SHA-512:	4FE027E46D5132CA63973C67BD5394F2AC74DD4BBCFE93CB16136FAB4B6BF67BECB5A0D4CA359FF9426DA63CA81F793BBF1B79C8A9D8372C53DCB5796D17367E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." .....$...0......P.....................................................`.........................................0Y.......Y..d............p..................0....Q...............................R..8............@...............................text....".......$.................. ..`.rdata.......@... ...(..............@..@.data...H....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..0............P..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_cast.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	6.530656045206549
Encrypted:	false
SSDEEP:	384:cEDwUBi9SPu71omZXmrfXA+UA10ol31tuXVYdAgYj:FsUBXmoEXmrXA+NNxWFYfo
MD5:	2E15AA6F97ED618A3236CFA920988142
SHA1:	A9D556D54519D3E91FA19A936ED291A33C0D1141
SHA-256:	516C5EA47A7B9A166F2226ECBA79075F1A35EFFF14D87E00006B34496173BB78
SHA-512:	A6C75C4A285753CC94E45500E8DD6B6C7574FB7F610FF65667F1BEC8D8B413FC10514B7D62F196C2B8D017C308C5E19E2AEF918021FA81D0CB3D8CED37D8549A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...W..f.........." .....$...>............................................................`..........................................h.......i..d...............................0....a...............................a..8............@...............................text....#.......$.................. ..`.rdata..:-...@.......(..............@..@.data...H....p.......V..............@....pdata...............X..............@..@.rsrc................\..............@..@.reloc..0............^..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_cbc.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.7080156150187396
Encrypted:	false
SSDEEP:	192:lF/1n7Guqaj0ktfEJwX1fYwCODR3lncqg0Gd6l:RGXkJEm1feODxDg0Gd6
MD5:	40390F2113DC2A9D6CFAE7127F6BA329
SHA1:	9C886C33A20B3F76B37AA9B10A6954F3C8981772
SHA-256:	6BA9C910F755885E4D356C798A4DD32D2803EA4CFABB3D56165B3017D0491AE2
SHA-512:	617B963816838D649C212C5021D7D0C58839A85D4D33BBAF72C0EC6ECD98B609080E9E57AF06FA558FF302660619BE57CC974282826AB9F21AE0D80FBAA831A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...X..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..(....p......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_cfb.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	5.159963979391524
Encrypted:	false
SSDEEP:	192:kblRgfeqfz0RP767fB4A84DgVD6eDcqgzbkLgmf:BwRj67p84Dg6eVgzbkLgmf
MD5:	899895C0ED6830C4C9A3328CC7DF95B6
SHA1:	C02F14EBDA8B631195068266BA20E03210ABEABC
SHA-256:	18D568C7BE3E04F4E6026D12B09B1FA3FAE50FF29AC3DEAF861F3C181653E691
SHA-512:	0B4C50E40AF92BC9589668E13DF417244274F46F5A66E1FC7D1D59BC281969BA319305BECEA119385F01CC4603439E4B37AFA2CF90645425210848A02839E3E7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^..6?..6?..6?..?G..2?..dJ..4?..}G..5?..6?...?..dJ..<?..dJ..>?..dJ..5?...J..7?...J..7?...Jk.7?...J..7?..Rich6?..................PE..d...Y..f.........." ................P.....................................................`..........................................8......x9..d....`.......P..d............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......(..............@....pdata..d....P.......*..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ctr.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.270418334522813
Encrypted:	false
SSDEEP:	192:vktJ1gifqQGRk0IP73AdXdmEEEEEm9uhiFEQayDZVMcqgnF6+6Lg:vkdU1ID3AdXd49urQPDggnUjLg
MD5:	C4C525B081F8A0927091178F5F2EE103
SHA1:	A1F17B5EA430ADE174D02ECC0B3CB79DBF619900
SHA-256:	4D86A90B2E20CDE099D6122C49A72BAE081F60EB2EEA0F76E740BE6C41DA6749
SHA-512:	7C06E3E6261427BC6E654B2B53518C7EAA5F860A47AE8E80DC3F8F0FED91E122CB2D4632188DC44123FB759749B5425F426CD1153A8F84485EF0491002B26555
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^z.6?..6?..6?..?G..2?..dJ..4?..}G..5?..6?...?..dJ..<?..dJ..>?..dJ..5?...J..7?...J..7?...J..7?...J..7?..Rich6?..........................PE..d...Y..f.........." ......... ......P.....................................................`.........................................`9.......:..d....`.......P...............p..(....1...............................1..8............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..(....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_des.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	56832
Entropy (8bit):	4.231032526864278
Encrypted:	false
SSDEEP:	384:0qcmHBeNL1dO/qHkpnYcZiGKdZHDLY84vnKAnK2rZA21agVF:fEiqHHx4vZDV
MD5:	F9E266F763175B8F6FD4154275F8E2F0
SHA1:	8BE457700D58356BC2FA7390940611709A0E5473
SHA-256:	14D2799BE604CBDC668FDE8834A896EEE69DAE0E0D43B37289FCCBA35CEF29EC
SHA-512:	EB3E37A3C3FF8A65DEF6FA20941C8672A8197A41977E35AE2DC6551B5587B84C2703758320559F2C93C0531AD5C9D0F6C36EC5037669DC5CE78EB3367D89877B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PK..1%..1%..1%..I...1%.D$..1%.I$..1%..1$..1%.D ..1%.D!..1%.D&..1%..D-..1%..D%..1%..D...1%..D'..1%.Rich.1%.........................PE..d...X..f.........." .....6...................................................0............`.................................................\...d...............l............ ..0... ...............................@...8............P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...H...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_des3.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.252429732285762
Encrypted:	false
SSDEEP:	384:J4cmHBeIzNweVy/CHkRnYcZiGKdZHDLq80vnKAnKBrZGsURygUX:GEO6CHnX0vZb7
MD5:	DECF524B2D53FCD7D4FA726F00B3E5FC
SHA1:	E87C6ED4004F2772B888C5B5758AA75FE99D2F6F
SHA-256:	58F7053EE70467D3384C73F299C0DFD63EEF9744D61D1980D9D2518974CA92D4
SHA-512:	EAFF4FD80843743E61CE635FBADF4E5D9CF2C3E97F3C48350BD9E755F4423AC6867F9FE8746BD5C54E1402B18E8A55AEEF7ACA098C7CF4186DC4C1235EB35DF2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........PK..1%..1%..1%..I...1%.D$..1%.I$..1%..1$..1%.D ..1%.D!..1%.D&..1%..D-..1%..D%..1%..D...1%..D'..1%.Rich.1%.........................PE..d...X..f.........." .....8...................................................0............`.....................................................d............................ ..0... ...............................@...8............P...............................text...X7.......8.................. ..`.rdata......P.......<..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..0.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ecb.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.690163963718492
Encrypted:	false
SSDEEP:	192:Yddz2KTnThIz0qfteRY4zp+D3PLui8p1cqgHCWt:k2E9RqfCXp+D3juRpLgiWt
MD5:	80BB1E0E06ACAF03A0B1D4EF30D14BE7
SHA1:	B20CAC0D2F3CD803D98A2E8A25FBF65884B0B619
SHA-256:	5D1C2C60C4E571B88F27D4AE7D22494BED57D5EC91939E5716AFA3EA7F6871F6
SHA-512:	2A13AB6715B818AD62267AB51E55CD54714AEBF21EC9EA61C2AEFD56017DC84A6B360D024F8682A2E105582B9C5FE892ECEBD2BEF8A492279B19FFD84BC83FA5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...X..f.........." ................P........................................p............`.........................................0'.......'..P....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_eksblowfish.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	6.1215844022564285
Encrypted:	false
SSDEEP:	384:nUX0JfbRwUtPMbNv37t6K5jwbDEpJgLa0Mp8xCkgJrAm:jNbRw8EbxwKBwbD+gLa1nh
MD5:	3727271FE04ECB6D5E49E936095E95BC
SHA1:	46182698689A849A8C210A8BF571D5F574C6F5B1
SHA-256:	3AF5B35DCD5A3B6C7E88CEE53F355AAFFF40F2C21DABD4DE27DBB57D1A29B63B
SHA-512:	5BED1F4DF678FE90B8E3F1B7C4F68198463E579209B079CB4A40DCAC01CE26AA2417DBE029B196F6F2C6AFAD560E2D1AF9F089ABE37EAD121CA10EE69D9659ED
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...W..f.........." .....(...0......P.....................................................`.........................................0Y.......Y..d............p..................0....Q...............................R..8............@...............................text...H'.......(.................. ..`.rdata.......@... ...,..............@..@.data...H....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..0............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ocb.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.293810509074883
Encrypted:	false
SSDEEP:	384:4PHoDUntQjNB+/yw/pogeXOvXoTezczOo3p9iJgDQ3iNgnVbwhA:dUOhBcDRogeXOfoTezcio3pUJgDQ3i+
MD5:	78AEF441C9152A17DD4DC40C7CC9DF69
SHA1:	6BB6F8426AFA6522E647DFC82B1B64FAF3A9781F
SHA-256:	56E4E4B156295F1AAA22ECB5481841DE2A9EB84845A16E12A7C18C7C3B05B707
SHA-512:	27B27E77BE81B29D42359FE28531225383860BCD19A79044090C4EA58D9F98009A254BF63585979C60B3134D47B8233941ABB354A291F23C8641A4961FA33107
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...Y..f.........." .....(... ......P.....................................................`.........................................pI......lJ..d....p.......`..................(....A...............................A..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..(............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ofb.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	4.862619033406922
Encrypted:	false
SSDEEP:	96:0Ga+F/1NtJ9t4udqaj01rlALnNNJSS2sP+YEdMN+F9FdKaWDULk+VOmWbucX6gR7:PF/1n7Guqaj0ktfEON+bMDUlJcqg0Gd
MD5:	19E0ABF76B274C12FF624A16713F4999
SHA1:	A4B370F556B925F7126BF87F70263D1705C3A0DB
SHA-256:	D9FDA05AE16C5387AB46DC728C6EDCE6A3D0A9E1ABDD7ACB8B32FC2A17BE6F13
SHA-512:	D03033EA5CF37641FBD802EBEB5019CAEF33C9A78E01519FEA88F87E773DCA92C80B74BA80429B530694DAD0BFA3F043A7104234C7C961E18D48019D90277C8E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...Y..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......$..............@....pdata..X....P.......&..............@..@.rsrc........`.......*..............@..@.reloc..(....p.......,..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_BLAKE2b.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.227045547076371
Encrypted:	false
SSDEEP:	192:saF/1n7Guqaj0ktrE8o2o+V2rQnjt1wmg9jtveDn4clG6VcqgOvgdd:swGXkFE8Zo+AojO9jZeDf5rgOvgz
MD5:	309D6F6B0DD022EBD9214F445CAC7BB9
SHA1:	ABD22690B7AD77782CFC0D2393D0C038E16070B0
SHA-256:	4FBE188C20FB578D4B66349D50AA6FFE4AB86844FB6427C57738F36780D1E2E2
SHA-512:	D1951FE92F83E7774E8E877815BED6E6216D56EF18B7F1C369D678CB6E1814243659E9FA7ABC0D22FB5B34A9D50A51D5A89BA00AE1FDD32157FD0FF9902FB4B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..@............p..(....2...............................2..8............0...............................text...x........................... ..`.rdata.......0....... ..............@..@.data...H....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_BLAKE2s.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.176369829782773
Encrypted:	false
SSDEEP:	192:rF/1n7Guqaj0ktrESsrUW+SBjsK5tcQmEreD2mf1AoxkVcqgOvgXQ:rGXkFE/UW575tA2eDp1Ao2rgOvgX
MD5:	D54FEB9A270B212B0CCB1937C660678A
SHA1:	224259E5B684C7AC8D79464E51503D302390C5C9
SHA-256:	032B83F1003A796465255D9B246050A196488BAC1260F628913E536314AFDED4
SHA-512:	29955A6569CA6D039B35BB40C56AEEB75FC765600525D0B469F72C97945970A428951BAB4AF9CD21B3161D5BBA932F853778E2674CA83B14F7ABA009FA53566F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..@............p..(....2...............................2..8............0...............................text...h........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata..@....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_MD2.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.047563322651927
Encrypted:	false
SSDEEP:	384:6alCvH32p3/2pnEhKnLg9yH8puzoFaPERIQAvHD9CIg5kP:5CvHmp3OpnEhmLg9yH8puzoFaPERIQgI
MD5:	52DCD4151A9177CF685BE4DF48EA9606
SHA1:	F444A4A5CBAE9422B408420115F0D3FF973C9705
SHA-256:	D54375DC0652358A6E4E744F1A0EAEEAD87ACCD391A20D6FF324FE14E988A122
SHA-512:	64C54B89F2637759309ECC6655831C3A6755924ED70CBC51614061542EB9BA9A8AECF6951EB3AB92447247DC4D7D846C88F4957DBBE4484A9AB934343EE27178
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...Q..f.........." ......... ......P.....................................................`.........................................@9.......9..d....`.......P..(............p..(....2...............................2..8............0...............................text...X........................... ..`.rdata..@....0......................@..@.data...x....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..(....p.......6..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_MD4.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.09893680790018
Encrypted:	false
SSDEEP:	192:xsiXeqVb0lwbH4P01sAD7I/9hAkwDWzBEbcqgqLg:valqH4M1sAD7KvpwDFtgqLg
MD5:	F929B1A3997427191E07CF52AC883054
SHA1:	C5EA5B68586C2FB09E5FDD20D4DD616D06F5CBA6
SHA-256:	5386908173074FABD95BF269A9DF0A4E1B21C0576923186F449ABF4A820F6A8E
SHA-512:	2C79DBCE2C21214D979AB86DD989D41A3AFA7FCB7F3B79BA9974E2EE8F832DD7CA20C1C87C0C380DB037D776FE6D0851D60AD55A08AFDE0003B7E59214DD2F3B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ................P.....................................................`.........................................08.......8..d....`.......P..(............p..(....1...............................2..8............0...............................text............................... ..`.rdata..0....0......................@..@.data........@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_MD5.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.451865349855574
Encrypted:	false
SSDEEP:	384:KfwogDHER1wuiDSyoGTgDZOviNgEPrLg:ugDHELwuiDScTgDwi+EP
MD5:	1FA5E257A85D16E916E9C22984412871
SHA1:	1AC8EE98AD0A715A1B40AD25D2E8007CDC19871F
SHA-256:	D87A9B7CAD4C451D916B399B19298DC46AAACC085833C0793092641C00334B8E
SHA-512:	E4205355B647C6E28B7E4722328F51DC2EB3A109E9D9B90F7C53D7A80A5A4B10E40ABDDAB1BA151E73EF3EB56941F843535663F42DCE264830E6E17BB659EADF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ..... ..........P.....................................................`..........................................8......`9..d....`.......P..X............p..(....1...............................1..8............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..(....p.......:..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_RIPEMD160.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.104245335186531
Encrypted:	false
SSDEEP:	192:3F/1n7Guqaj0kt7/Ev9kt0Qwac6QzD8iD0QocqgI4G0S:nGXkd/EvGt9wacNDvAgI4v
MD5:	FAD578A026F280C1AE6F787B1FA30129
SHA1:	9A3E93818A104314E172A304C3D117B6A66BEB55
SHA-256:	74A1FF0801F4704158684267CD8E123F83FB6334FE522C1890AC4A0926F80AB1
SHA-512:	ACF8F5B382F3B4C07386505BBDCAF625D13BCC10AA93ED641833E3548261B0AD1063E2F59BE2FCD2AFAF3D315CB3FC5EB629CEFC168B33CFD65A3A6F1120F7FF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...U..f.........." ......... ......P.....................................................`..........................................9.......:..d....`.......P...............p..(...@3..............................`3..8............0...............................text...H........................... ..`.rdata.......0......................@..@.data...H....@.......,..............@....pdata.......P......................@..@.rsrc........`.......2..............@..@.reloc..(....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA1.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.671305741258107
Encrypted:	false
SSDEEP:	384:APHoDUntQj0sKhDOJ+0QPSfu6rofDjiZzgE+kbwb:VUOYsKNO466DjoUE+
MD5:	556E6D0E5F8E4DA74C2780481105D543
SHA1:	7A49CDEF738E9FE9CD6CD62B0F74EAD1A1774A33
SHA-256:	247B0885CF83375211861F37B6DD1376AED5131D621EE0137A60FE7910E40F8B
SHA-512:	28FA0CE6BDBCC5E95B80AADC284C12658EF0C2BE63421AF5627776A55050EE0EA0345E30A15B744FC2B2F5B1B1BBB61E4881F27F6E3E863EBAAEED1073F4CDA1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h..9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...R..f.........." ...............P.....................................................`..........................................H......hI..d....p.......`..X...............(....A...............................A..8............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........P.......<..............@....pdata..X....`.......>..............@..@.rsrc........p.......B..............@..@.reloc..(............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA224.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.878701941774916
Encrypted:	false
SSDEEP:	384:EJWo4IRCGHX1KXqHGcvYHp5RYcARQOj4MSTjqgPmJD1OhgkxEv:EcIRnHX1P/YtswvaD1Rk
MD5:	2F2655A7BBFE08D43013EDDA27E77904
SHA1:	33D51B6C423E094BE3E34E5621E175329A0C0914
SHA-256:	C734ABBD95EC120CB315C43021C0E1EB1BF2295AF9F1C24587334C3FCE4A5BE1
SHA-512:	8AF99ACC969B0E560022F75A0CDCAA85D0BDEADADEACD59DD0C4500F94A5843EA0D4107789C1A613181B1F4E5252134A485EF6B1D9D83CDB5676C5FEE4D49B90
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...S..f.........." .....6... ......P.....................................................`.........................................@Z......([..d............p..................(....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..x....P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..(............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA256.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.881781476285865
Encrypted:	false
SSDEEP:	384:EJWo4IRCGHXfKXqHGcvYHp5RYcARQOj4MSTjqgPmJD12gkxEv:EcIRnHXfP/YtswvaD1zk
MD5:	CDE035B8AB3D046B1CE37EEE7EE91FA0
SHA1:	4298B62ED67C8D4F731D1B33E68D7DC9A58487FF
SHA-256:	16BEA322D994A553B293A724B57293D57DA62BC7EAF41F287956B306C13FD972
SHA-512:	C44FDEE5A210459CE4557351E56B2D357FD4937F8EC8EACEAB842FEE29761F66C2262FCBAAC837F39C859C67FA0E23D13E0F60B3AE59BE29EB9D8ABAB0A572BB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...S..f.........." .....6... ......P.....................................................`.........................................@Z......([..d............p..................(....R...............................R..8............P...............................text....5.......6.................. ..`.rdata..x....P.......:..............@..@.data........`.......J..............@....pdata.......p.......L..............@..@.rsrc................P..............@..@.reloc..(............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA384.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.837887867708438
Encrypted:	false
SSDEEP:	768:e839Cc4itui0gel9soFdkO66MlPGXmXcyYDTzks:Ns4u/FZ6nPxMLDvk
MD5:	999D431197D7E06A30E0810F1F910B9A
SHA1:	9BFF781221BCFFD8E55485A08627EC2A37363C96
SHA-256:	AB242B9C9FB662C6F7CB57F7648F33983D6FA3BB0683C5D4329EC2CC51E8C875
SHA-512:	A5DD92DD471ADB44EEFE5919EF9CA3978724E21174DF5B3A9C1F0AB462F928E5A46A460D02417DB7522F5DE3BFEED5EEE6B1EAFAF3E621722E85E72675F7096F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...T..f.........." .....H..."......P.....................................................`..........................................k.......l..d...............................(...pd...............................d..8............`...............................text....F.......H.................. ..`.rdata.......`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_SHA512.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	5.895310340516013
Encrypted:	false
SSDEEP:	768:lcX9Nf4ttui0gel9soFdkO66MlPGXmXc/vDTOvk:a38u/FZ6nPxM3DAk
MD5:	0931ABBF3AED459B1A2138B551B1D3BB
SHA1:	9EC0296DDAF574A89766A2EC035FC30073863AB0
SHA-256:	1729A0DC6B80CB7A3C07372B98B10D3C6C613EA645240878E1FDE6A992FA06F1
SHA-512:	9F970BB4D10B94F525DDDDE307C7DA5E672BBFB3A3866A34B89B56ADA99476724FD690A4396857182749294F67F36DB471A048789FB715D2A7DAF46917FC1947
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...T..f.........." .....H..."......P.....................................................`.........................................@l......(m..d...............................(....d...............................e..8............`...............................text...hG.......H.................. ..`.rdata..x....`.......L..............@..@.data................^..............@....pdata...............`..............@..@.rsrc................d..............@..@.reloc..(............f..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_ghash_clmul.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.967737129255606
Encrypted:	false
SSDEEP:	192:dMpWt/1nCuqaL0kt7TsEx2fiTgDZqGF0T7cqgkLgJ:k/k1Ts64DDJyBgkLg
MD5:	5F057A380BACBA4EF59C0611549C0E02
SHA1:	4B758D18372D71F0AA38075F073722A55B897F71
SHA-256:	BCB14DAC6C87C24269D3E60C46B49EFFB1360F714C353318F5BBAA48C79EC290
SHA-512:	E1C99E224745B86EE55822C1DBCB4555A11EC31B72D87B46514917EB61E0258A1C6D38C4F592969C17EB4F0F74DA04BCECA31CF1622720E95F0F20E9631792E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...V..f.........." ................P.....................................................`.........................................P8.......8..d....`.......P...............p..(....1...............................1..8............0...............................text............................... ..`.rdata..2....0......................@..@.data...H....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..(....p.......0..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_ghash_portable.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.007867576025166
Encrypted:	false
SSDEEP:	192:bMt/1nCuqaL0ktPH0T7fwtF4zDn2rGacqgRGd:1/kpU3Yv4zDXqgRGd
MD5:	49BCA1B7DF076D1A550EE1B7ED3BD997
SHA1:	47609C7102F5B1BCA16C6BAD4AE22CE0B8AEE9E9
SHA-256:	49E15461DCB76690139E71E9359F7FCF92269DCCA78E3BFE9ACB90C6271080B2
SHA-512:	8574D7FA133B72A4A8D1D7D9FDB61053BC88C2D238B7AC7D519BE19972B658C44EA1DE433885E3206927C75DD5D1028F74999E048AB73189585B87630F865466
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.:...:...:...3.j.>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...........................PE..d...V..f.........." ................P.....................................................`..........................................8.......8..d....`.......P..X............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data...H....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..(....p.......2..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_keccak.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.226023387740053
Encrypted:	false
SSDEEP:	384:rfRKTN+HLjRskTdf4WazSTkwjEvuY2bylHDiYIgovg:mcHfRl5pauoSjy5DiE
MD5:	CB5CFDD4241060E99118DEEC6C931CCC
SHA1:	1E7FED96CF26C9F4730A4621CA9D18CECE3E0BCE
SHA-256:	A8F809B6A417AF99B75EEEEA3ECD16BDA153CBDA4FFAB6E35CE1E8C884D899C4
SHA-512:	8A89E3563C14B81353D251F9F019D8CBF07CB98F78452B8522413C7478A0D77B9ABF2134E4438145D6363CDA39721D2BAE8AD13D1CDACCBB5026619D95F931CF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...U..f.........." ..... ... ......P.....................................................`..........................................9.......9..d....`.......P..X............p..(...p2...............................2..8............0...............................text............ .................. ..`.rdata..@....0.......$..............@..@.data........@.......4..............@....pdata..X....P.......6..............@..@.rsrc........`.......:..............@..@.reloc..(....p.......<..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Hash\_poly1305.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.262055670423592
Encrypted:	false
SSDEEP:	192:C/ZN2eq/b04PAHH41F6fnVS0sVn+5CA5Z1cD66WGcqgFjLg:vI4IHHaQfSVnCZyDImgFjLg
MD5:	18D2D96980802189B23893820714DA90
SHA1:	5DEE494D25EB79038CBC2803163E2EF69E68274C
SHA-256:	C2FD98C677436260ACB9147766258CB99780A007114AED37C87893DF1CF1A717
SHA-512:	0317B65D8F292332C5457A6B15A77548BE5B2705F34BB8F4415046E3E778580ABD17B233E6CC2755C991247E0E65B27B5634465646715657B246483817CACEB7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...V..f.........." ................P.....................................................`..........................................8.......9..d....`.......P..\|............p..(....1...............................1..8............0...............................text............................... ..`.rdata.......0......."..............@..@.data........@.......0..............@....pdata..\|....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..(....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Math\_modexp.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.913843738203007
Encrypted:	false
SSDEEP:	384:dspbXtHQY4ubrttQza9CHnZXQsnecAlOF0qZLAXxQI3Sya6XPpMg3Yx8MnDcCPSq:7Y44UagH6cAFCLUSYpMg3YDzPo5kG9G
MD5:	EF472BA63FD22922CA704B1E7B95A29E
SHA1:	700B68E7EF95514D5E94D3C6B10884E1E187ACD8
SHA-256:	66EEF4E6E0CEEEF2C23A758BFBEDAE7C16282FC93D0A56ACAFC40E871AC3F01C
SHA-512:	DC2060531C4153C43ABF30843BCB5F8FA082345CA1BB57F9AC8695EDDB28FF9FDA8132B6B6C67260F779D95FCADCAE2811091BCA300AB1E041FAE6CC7B50ABD8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...^..f.........." .....`...0......`.....................................................`..........................................~..\|...L...d...............<...............(....q...............................q..8............p..(............................text...X^.......`.................. ..`.rdata.......p.......d..............@..@.data................x..............@....pdata..<...........................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Protocol\_scrypt.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.735350805948923
Encrypted:	false
SSDEEP:	192:rhsC3eqv6b0q3OQ3rHu5bc64OhD2I/p3cqgONLg:r/Hq3jHuY64OhDJJgONLg
MD5:	3B1CE70B0193B02C437678F13A335932
SHA1:	063BFD5A32441ED883409AAD17285CE405977D1F
SHA-256:	EB2950B6A2185E87C5318B55132DFE5774A5A579259AB50A7935A7FB143EA7B1
SHA-512:	0E02187F17DFCFD323F2F0E62FBFE35F326DCF9F119FC8B15066AFAEEE4EB7078184BC85D571B555E9E67A2DD909EC12D8A67E3D075E9B1283813EF274E05C0D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^:.6?T.6?T.6?T.?G..2?T.dJU.4?T.}GU.5?T.6?U..?T.dJQ.<?T.dJP.>?T.dJW.5?T..J\.7?T..JT.7?T..J..7?T..JV.7?T.Rich6?T.........................PE..d...Z..f.........." ................P.....................................................`..........................................8..d....8..d....`.......P..4............p..(....1...............................1..8............0...............................text...H........................... ..`.rdata..0....0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..(....p......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_curve25519.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	5.705606408072877
Encrypted:	false
SSDEEP:	384:19BcRxBmau38CYIl9bhgIW0mvufueNr359/tjGGDEFSegqrA:NcRy38J+9dmvufFtaGDV
MD5:	FF33C306434DEC51D39C7BF1663E25DA
SHA1:	665FCF47501F1481534597C1EAC2A52886EF0526
SHA-256:	D0E3B6A2D0E073B2D9F0FCDB051727007943A17A4CA966D75EBA37BECDBA6152
SHA-512:	66A909DC9C3B7BD4050AA507CD89B0B3A661C85D33C881522EC9568744953B698722C1CBFF093F9CBCD6119BD527FECAB05A67F2E32EC479BE47AFFA4377362C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.g.:...:...:...3...>...h...8...q...9...:.......h...1...h...2...h...9.......;.......;.......;.......;...Rich:...................PE..d...\..f.........." .....6...$......P.....................................................`.........................................`Y......`Z..d............p..................(....R..............................0R..8............P...............................text...(5.......6.................. ..`.rdata.......P.......:..............@..@.data........`.......J..............@....pdata.......p.......P..............@..@.rsrc................T..............@..@.reloc..(............V..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_curve448.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	6.0189903352673655
Encrypted:	false
SSDEEP:	1536:Jfju4GgRMgWWnEDZiECgd/iwOXUQdbhov0Clb8Cx4hpK8ithLFIDullRPwDHxXOa:pXRMgWiEDZiECgd/iwOXUQdbhov0ClbU
MD5:	F267BF4256F4105DAD0D3E59023011ED
SHA1:	9BC6CA0F375CE49D5787C909D290C07302F58DA6
SHA-256:	1DDE8BE64164FF96B2BAB88291042EB39197D118422BEE56EB2846E7A2D2F010
SHA-512:	A335AF4DBF1658556ED5DC13EE741419446F7DAEC6BD2688B626A803FA5DD76463D6367C224E0B79B17193735E2C74BA417C26822DAEEF05AC3BAB1588E2DE83
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...\..f.........." .........8......`........................................P............`.............................................0.......d....0....... ..$............@..(.......................................8............................................text...8........................... ..`.rdata..............................@..@.data...............................@....pdata..$.... ......................@..@.rsrc........0......................@..@.reloc..(....@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_ec_ws.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	770560
Entropy (8bit):	7.613224993327352
Encrypted:	false
SSDEEP:	12288:XtIrHoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h:XtIrHoxJFf1p34hcrn5Go9yQO6
MD5:	1EFD7F7CB1C277416011DE6F09C355AF
SHA1:	C0F97652AC2703C325AB9F20826A6F84C63532F2
SHA-256:	AB45FA80A68DB1635D41DC1A4AAD980E6716DAC8C1778CB5F30CDB013B7DF6E6
SHA-512:	2EC4B88A1957733043BBD63CEAA6F5643D446DB607B3267FAD1EC611E6B0AF697056598AAC2AE5D44AB2B9396811D183C32BCE5A0FF34E583193A417D1C5226B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.. .. .. ... .. ..!.. ..!.. .. .. ..!.. ..!.. ..!.. \..!.. \..!.. \.r .. \..!.. Rich.. ................PE..d...[..f.........." ................`.....................................................`.............................................h.......d...............................0......................................8...............(............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_ed25519.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26112
Entropy (8bit):	5.8551858881598795
Encrypted:	false
SSDEEP:	384:BczadRwoF2MZ81n0XTyMCYIl9bhgIW0mv8aeadRcwRwftjGLD2pRQNgQQ77k:2udRf2MuMJ+9dmv8aea34taLDcfQ
MD5:	C5FB377F736ED731B5578F57BB765F7A
SHA1:	5BA51E11F4DE1CAEDEBA0F7D4D10EC62EC109E01
SHA-256:	32073DF3D5C85ABCE7D370D6E341EF163A8350F6A9EDC775C39A23856CCFDD53
SHA-512:	D361BCDAF2C700D5A4AC956D96E00961432C05A1B692FC870DB53A90F233A6D24AA0C3BE99E40BD8E5B7C6C1B2BCDCDCFC545292EF321486FFC71C5EA7203E6A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~.G.:.).:.).:.).3...>.).h.(.8.).q.(.9.).:.(...).h.,.1.).h.-.2.).h.*.9.)...!.;.)...).;.).....;.)...+.;.).Rich:.).........................PE..d...]..f.........." .....B...&......P.....................................................`..........................................i..0....k..d...............................(... b..............................@b..8............`...............................text....A.......B.................. ..`.rdata..P....`.......F..............@..@.data........p.......V..............@....pdata...............^..............@..@.rsrc................b..............@..@.reloc..(............d..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\PublicKey\_ed448.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84992
Entropy (8bit):	6.064677498000638
Encrypted:	false
SSDEEP:	1536:BrYNvxcZeLrIeNs2qkTwe57DsuP45PqAqVDK9agdUiwOXyQdDrov0slb8gx4TBKW:Br4vxcZeLrIeN1TvHsuP45yAqVDK9ag3
MD5:	8A0C0AA820E98E83AC9B665A9FD19EAF
SHA1:	6BF5A14E94D81A55A164339F60927D5BF1BAD5C4
SHA-256:	4EE3D122DCFFE78E6E7E76EE04C38D3DC6A066E522EE9F7AF34A09649A3628B1
SHA-512:	52496AE7439458DEDB58A65DF9FFDCC3A7F31FC36FE7202FB43570F9BB03ABC0565F5EF32E5E6C048ED3EBC33018C19712E58FF43806119B2FB5918612299E7E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..P~...~...~...w.3.x...,...\|...5...}...~...U...,...u...,...v...,...}.......\|............._.............Rich~...................PE..d...^..f.........." .........8......`.....................................................`..........................................C..h...HE..d....p.......`..l...............(....1...............................1..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata..l....`.......>..............@..@.rsrc........p.......H..............@..@.reloc..(............J..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Util\_cpuid_c.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.675380950473425
Encrypted:	false
SSDEEP:	96:frQRpBddzAvzrqTOy/ThIz014mlxuLnkC75JiSBhsPeSztllIDpqf4AZaRcX6gnO:Qddz2KTnThIz0qfteRIDgRWcqgnCWt
MD5:	44B930B89CE905DB4716A548C3DB8DEE
SHA1:	948CBFF12A243C8D17A7ACD3C632EE232DF0F0ED
SHA-256:	921C2D55179C0968535B20E9FD7AF55AD29F4CE4CF87A90FE258C257E2673AA5
SHA-512:	79DF755BE8B01D576557A4CB3F3200E5EE1EDE21809047ABB9FF8D578C535AC1EA0277EDA97109839A7607AF043019F2C297E767441C7E11F81FDC87FD1B6EFC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...X..f.........." ................P........................................p............`.........................................@'..\|....'..P....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Util\_strxor.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.625428549874022
Encrypted:	false
SSDEEP:	96:flipBddzAvzrqTOy/ThIz014mlxuLnkC75JiSBhsPeSzteXuDVZqYNIfcX6gHCWx:Cddz2KTnThIz0qfteR5DVwYkcqgHCWt
MD5:	F24F9356A6BDD29B9EF67509A8BC3A96
SHA1:	A26946E938304B4E993872C6721EB8CC1DCBE43B
SHA-256:	034BB8EFE3068763D32C404C178BD88099192C707A36F5351F7FDB63249C7F81
SHA-512:	C4D3F92D7558BE1A714388C72F5992165DD7A9E1B4FA83B882536030542D93FDAD9148C981F76FFF7868192B301AC9256EDB8C3D5CE5A1A2ACAC183F96C1028B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@................../....../...../......+.......*......-......&....................,....Rich...........................PE..d...Z..f.........." ................P........................................p............`......................................... '..t....'..P....P.......@...............`..(....!...............................!..8............ ...............................text...h........................... ..`.rdata..`.... ......................@..@.data...H....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..(....`.......&..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109392
Entropy (8bit):	6.641929675972235
Encrypted:	false
SSDEEP:	1536:GcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/woecbq8qZHg2zuCS+zuecL:GV3iC0h9q4v6XjKwoecbq8qBTq+1cL
MD5:	4585A96CC4EEF6AAFD5E27EA09147DC6
SHA1:	489CFFF1B19ABBEC98FDA26AC8958005E88DD0CB
SHA-256:	A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
SHA-512:	D78260C66331FE3029D2CC1B41A5D002EC651F2E3BBF55076D65839B5E3C6297955AFD4D9AB8951FBDC9F929DBC65EB18B14B59BCE1F2994318564EB4920F286
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d..._#;..........." ...".....`......................................................=.....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49520
Entropy (8bit):	6.65700274508223
Encrypted:	false
SSDEEP:	768:YEgYXUcHJcUJSDW/tfxL1qBSHGm6Ub/I2Hi09z0XQKBcRmuU9zuKl:YvGS8fZ1esJwUpz0X3B+d8zuKl
MD5:	7E668AB8A78BD0118B94978D154C85BC
SHA1:	DBAC42A02A8D50639805174AFD21D45F3C56E3A0
SHA-256:	E4B533A94E02C574780E4B333FCF0889F65ED00D39E32C0FBBDA2116F185873F
SHA-512:	72BB41DB17256141B06E2EAEB8FC65AD4ABDB65E4B5F604C82B9E7E7F60050734137D602E0F853F1A38201515655B6982F2761EE0FA77C531AA58591C95F0032
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............L...L...L...M...L...M...L.FL...L...L...L...M...L...M...L...M...L...M...L..*L...L...M...LRich...L........................PE..d....J.$.........." ...".<...8.......A....................................................`A........................................0m.......m..x....................r..pO......D....c..p...........................pb..@............P..h............................text...0:.......<.................. ..`.rdata..."...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\_asyncio.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	71448
Entropy (8bit):	6.243013214204417
Encrypted:	false
SSDEEP:	1536:nhaPPkvDcBlqCTFFQ/ObfW11swNIGOnL7SyaeCxT:hanCDcnqCJFOObfW11swNIGOnLoeE
MD5:	2CD68FF636394D3019411611E27D0A3B
SHA1:	DA369C5D1A32F68639170D8A265A9EA49C2C8EBD
SHA-256:	0D4FBD46F922E548060EA74C95E99DC5F19B1DF69BE17706806760515C1C64FE
SHA-512:	37388D137454F52057B2376D95ABCC955FA1EDC3E20B96445FA45D1860544E811DF0C547F221C8671DC1A4D90262BB20F3B9F114252F3C47A8C3829951A2CE51
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B:.T.[...[...[...#*..[...'...[...'...[...'...[...'...[...&...[..M#...[...[...[...&...[...&...[...&F..[...&...[..Rich.[..........................PE..d...Q..e.........." ...#.f................................................... ......A&....`.............................................P......d......................../..............T...........................@...@............................................text...)d.......f.................. ..`.rdata..`O.......P...j..............@..@.data...(...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84760
Entropy (8bit):	6.584507188180646
Encrypted:	false
SSDEEP:	1536:FFzZz757cav+IuK66nlxX8W8LsANVIGCV87SyixL7:DzZzq6n3MhLsMVIGCV8O7
MD5:	C7CE973F261F698E3DB148CCAD057C96
SHA1:	59809FD48E8597A73211C5DF64C7292C5D120A10
SHA-256:	02D772C03704FE243C8DE2672C210A5804D075C1F75E738D6130A173D08DFCDE
SHA-512:	A924750B1825747A622EEF93331FD764D824C954297E37E8DC93A450C11AA7AB3AD7C3B823B11656B86E64DE3CD5D409FDA15DB472488DFAA4BB50341F0B29D1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w.l.3...3...3...:...9......1......0......>......;......7.......0...x...1...3...l.......;.......2.......2.......2...Rich3...................PE..d...f..e.........." ...#.....^...............................................P.......@....`.............................................H............0....... ..,......../...@..........T...........................p...@............................................text............................... ..`.rdata..p>.......@..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\_cffi_backend.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	179712
Entropy (8bit):	6.180800197956408
Encrypted:	false
SSDEEP:	3072:IULjhBCx8qImKrUltSfGzdMcbb9CF8OS7jkSTLkKWlgeml:IgCeqImzSfIMcNCvOkSTLLWWem
MD5:	FCB71CE882F99EC085D5875E1228BDC1
SHA1:	763D9AFA909C15FEA8E016D321F32856EC722094
SHA-256:	86F136553BA301C70E7BADA8416B77EB4A07F76CCB02F7D73C2999A38FA5FA5B
SHA-512:	4A0E98AB450453FD930EDC04F0F30976ABB9214B693DB4B6742D784247FB062C57FAFAFB51EB04B7B4230039AB3B07D2FFD3454D6E261811F34749F2E35F04D6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......a..#%p.p%p.p%p.p,..p)p.p5.q'p.p5.zp!p.p5.q!p.p5.q-p.p5.q)p.pn..q!p.p6.q&p.p%p.p.p.pm..q!p.p,..p$p.pm..q$p.pm.xp$p.pm..q$p.pRich%p.p........................PE..d...W..f.........." ...).....B......`........................................0............`..........................................h..l....i..................T............ .......O...............................M..@............................................text............................... ..`.rdata..............................@..@.data....].......0...p..............@....pdata..T...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124696
Entropy (8bit):	6.1345016966871455
Encrypted:	false
SSDEEP:	3072:kuiS11BYNd+5AWdu41qOqJ/f/EX4lCPIWu1ptpIGLP+z:Pl1U+Ke/16f/ExWI
MD5:	10FDCF63D1C3C3B7E5861FBB04D64557
SHA1:	1AA153EFEC4F583643046618B60E495B6E03B3D7
SHA-256:	BC3B83D2DC9E2F0E6386ED952384C6CF48F6EED51129A50DFD5EF6CBBC0A8FB3
SHA-512:	DC702F4100ED835E198507CD06FA5389A063D4600FC08BE780690D729AB62114FD5E5B201D511B5832C14E90A5975ED574FC96EDB5A9AB9EB83F607C7A712C7F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>...z.z.z.s...\|....x....v....r....~.....x.1...{.1...\|.....y.z.......\|.....{...o.{.....{.Richz.................PE..d...c..e.........." ...#............p^..............................................".....`..........................................`.......a.........................../......p.......T...............................@............................................text............................... ..`.rdata...l.......n..................@..@.data....4.......0...h..............@....pdata..............................@..@.rsrc...............................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	253208
Entropy (8bit):	6.567915765795386
Encrypted:	false
SSDEEP:	6144:DV0lmIvcruIDCiryrjqPBTn9qWM53pLW1AuDRRRctULoT3TdTx:SN0rQiryr8TaV+QTdTx
MD5:	21C73E7E0D7DAD7A1FE728E3B80CE073
SHA1:	7B363AF01E83C05D0EA75299B39C31D948BBFE01
SHA-256:	A28C543976AA4B6D37DA6F94A280D72124B429F458D0D57B7DBCF71B4BEA8F73
SHA-512:	0357102BFFC2EC2BC6FF4D9956D6B8E77ED8558402609E558F1C1EBC1BACA6AEAA5220A7781A69B783A54F3E76362D1F74D817E4EE22AAC16C7F8C86B6122390
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.R.!...!...!...Y=..!..+]...!..+]...!..+]...!..+]...!..M\...!...Y...!...!...!..M\...!..M\...!..M\...!..M\Q..!..M\...!..Rich.!..........PE..d...T..e.........." ...#.v...<......\|.....................................................`..........................................T..P....T...................'......./......P...`...T........................... ...@............................................text....t.......v.................. ..`.rdata...............z..............@..@.data....*...p...$...R..............@....pdata...'.......(...v..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64792
Entropy (8bit):	6.219813461442214
Encrypted:	false
SSDEEP:	1536:CQGllrIdcGuzZc94cVM7gDX4NIGOI67Sy+xzn1:I6cvz+9IgDX4NIGOI6Sn1
MD5:	F495D1897A1B52A2B15C20DCECB84B47
SHA1:	8CB65590A8815BDA58C86613B6386B5982D9EC3F
SHA-256:	E47E76D70D508B62924FE480F30E615B12FDD7745C0AAC68A2CDDABD07B692AE
SHA-512:	725D408892887BEBD5BCF040A0ECC6A4E4B608815B9DEA5B6F7B95C812715F82079896DF33B0830C9F787FFE149B8182E529BB1F78AADD89DF264CF8853EE4C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........u...&...&...&.U&...&u..'...&u..'...&u..'...&u..'...&...'...&...'...&...&M..&...'...&...'...&..9&...&...'...&Rich...&........PE..d......e.........." ...#.R...~.......>..............................................'.....`.............................................P.............................../......X....\|..T............................{..@............p..(............................text...7P.......R.................. ..`.rdata...N...p...P...V..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	159512
Entropy (8bit):	6.841828996170163
Encrypted:	false
SSDEEP:	3072:RmuEE9tZBoI+1hINrznfB9mNoNSn2Vh/VDxuVIGZ1L6E:RmuFPobkNpYONnvfuCE
MD5:	4E2239ECE266230ECB231B306ADDE070
SHA1:	E807A078B71C660DB10A27315E761872FFD01443
SHA-256:	34130D8ABE27586EE315262D69AF4E27429B7EAB1F3131EA375C2BB62CF094BE
SHA-512:	86E6A1EAB3529E600DD5CAAB6103E34B0F618D67322A5ECF1B80839FAA028150C492A5CF865A2292CC8584FBA008955DA81A50B92301583424401D249C5F1401
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........TB#.5,p.5,p.5,p.M.p.5,p.I-q.5,p.I)q.5,p.I(q.5,p.I/q.5,pnH-q.5,p.M-q.5,p.5-p.5,pnH!q.5,pnH,q.5,pnH.p.5,pnH.q.5,pRich.5,p........PE..d......e.........." ...#.d..........06....................................................`......................................... %..L...l%..x....p.......P.......@.../......4.......T...........................p...@............................................text...:b.......d.................. ..`.rdata..............h..............@..@.data...(....@......................@....pdata.......P....... ..............@..@.rsrc........p.......4..............@..@.reloc..4............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\_multiprocessing.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35096
Entropy (8bit):	6.456173627081832
Encrypted:	false
SSDEEP:	768:VAIvrenSE0PkA9c0ji+m9IGWte5YiSyv2pAAMxkEn:6ITQSH9c0jlm9IGWtU7SyOOxj
MD5:	811BCEE2F4246265898167B103FC699B
SHA1:	AE3DE8ACBA56CDE71001D3796A48730E1B9C7CCE
SHA-256:	FB69005B972DC3703F9EF42E8E0FDDF8C835CB91F57EF9B6C66BBDF978C00A8C
SHA-512:	1F71E23CE4B6BC35FE772542D7845DCBEA2A34522BA0468B61CB05F9ABAB7732CBF524BCFF498D1BD0B13B5E8A45C373CCA19AD20E5370F17259E281EDF344BE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........)*.wGy.wGy.wGy...y.wGy'.Fx.wGy'.Bx.wGy'.Cx.wGy'.Dx.wGyA.Fx.wGy.wFy.wGy..Fx.wGyA.Jx.wGyA.Gx.wGyA..y.wGyA.Ex.wGyRich.wGy........................PE..d...W..e.........." ...#.....>......P.....................................................`.........................................0E..`....E..x............p.......Z.../...........4..T............................3..@............0...............................text............................... ..`.rdata..r ...0..."..."..............@..@.data........`.......D..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc...............X..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\_overlapped.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55576
Entropy (8bit):	6.3454178187323755
Encrypted:	false
SSDEEP:	1536:2ND3ua5sIRL9EiqXxpNdtrtBIGXtz7SyNxM:2NjOiUpNdPBIGXtzi
MD5:	F9C67280538408411BE9A7341B93B5B0
SHA1:	CCF776CD2483BC83B48B1DB322D7B6FCAB48356E
SHA-256:	5D298BB811037B583CFF6C88531F1742FAE5EEE47C290ADB47DDBD0D6126B9CC
SHA-512:	AF2156738893EF504D582ACE6750B25BC42AD1EC8A92E0550CE54810706D854F37A82F38EB965A537CAD5D35C0178C5EB7B4D20DB2A95BEBFECF9A13C0592646
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\|!{X.O(X.O(X.O(Qe.(\.O(.aN)Z.O(.aJ)T.O(.aK)P.O(.aL)[.O(.`N)Z.O(X.N(/.O(.eN)].O(.eK)Y.O(.`B)Y.O(.`O)Y.O(.`.(Y.O(.`M)Y.O(RichX.O(................PE..d...V..e.........." ...#.L...`......P...............................................wC....`.............................................X...X............................/......(....f..T...........................`e..@............`...............................text....J.......L.................. ..`.rdata..D8...`...:...P..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32536
Entropy (8bit):	6.464181935983508
Encrypted:	false
SSDEEP:	768:/k+Ea6rfMkAYY0J/MpIGQUG5YiSyvHAMxkEJ5YSv:8tfHY0JEpIGQU87SyPx/Y+
MD5:	6E00E0821BB519333CCFD4E61A83CB38
SHA1:	3550A41BB2EA54F456940C4D1940ACAB36815949
SHA-256:	2AD02D49691A629F038F48FCDEE46A07C4FCC2CB0620086E7B09AC11915AE6B7
SHA-512:	C3F8332C10B58F30E292676B48ECF1860C5EF9546367B87E90789F960C91EAE4D462DD3EE9CB14F603B9086E81B6701AAB56DA5B635B22DB1E758ED0A983E562
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B:W\.[9..[9..[9..#...[9..'8..[9..'<..[9..'=..[9..':..[9..&8..[9.M#8..[9..[8.M[9..&4..[9..&9..[9..&...[9..&;..[9.Rich.[9.........................PE..d...Y..e.........." ...#.....8.......................................................a....`..........................................C..L....C..d....p.......`.......P.../..........p4..T...........................03..@............0..8............................text............................... ..`.rdata.......0......................@..@.data........P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83224
Entropy (8bit):	6.340320871656589
Encrypted:	false
SSDEEP:	1536:ZUuhzLx79flWrqcqtpjly+uCo9/s+S+pzcHQ6B48/VI9dsSbxntpIGLwIU7SyZxL:ZU6zLRNawRy+uCo9/sT+pzuXxVIbsSde
MD5:	899380B2D48DF53414B974E11BB711E3
SHA1:	F1D11F7E970A7CD476E739243F8F197FCB3AD590
SHA-256:	B38E66E6EE413E5955EF03D619CADD40FCA8BE035B43093D2342B6F3739E883E
SHA-512:	7426CA5E7A404B9628E2966DAE544F3E8310C697145567B361825DC0B5C6CD87F2CAF567DEF8CD19E73D68643F2F38C08FF4FF0BB0A459C853F241B8FDF40024
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J./.+z\|.+z\|.+z\|.S.\|.+z\|.W{}.+z\|.W.}.+z\|.W~}.+z\|.Wy}.+z\|}V{}.+z\|.+{\|.+z\|.S{}.+z\|}Vw}.+z\|}Vz}.+z\|}V.\|.+z\|}Vx}.+z\|Rich.+z\|................PE..d......e.........." ...#.v...........-.......................................`...........`.............................................P............@.......0.........../...P..........T...............................@............................................text....u.......v.................. ..`.rdata...x.......z...z..............@..@.data...H...........................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124696
Entropy (8bit):	6.2652662506859444
Encrypted:	false
SSDEEP:	3072:fZIPlR6TxhNO7/9CO4w5yIFGcXcpVNIGOQyl:RjFHO7kC56cXuo
MD5:	CEE93C920951C1169B615CB6330CEDDA
SHA1:	EF2ABF9F760DB2DE0BD92AFE8766A0B798CF8167
SHA-256:	FF25BDBEEF34D2AA420A79D3666C2660E7E3E96259D1F450F1AF5268553380EC
SHA-512:	999D324448BB39793E4807432C697F01F8922B0ABA4519A21D5DC4F4FC8E9E4737D7E104B205B931AF753EDA65F61D0C744F12BE84446F9C6CB3C2A5B35B773C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@.g...g...g.......g..../..g......g....+..g....*..g....-..g..q./..g..../..g...g/..f..q.#..g..q....g..q...g..q.,..g..Rich.g..........PE..d......e.........." ...#.............................................................-....`.........................................po..P....o..................8......../.......... ...T...............................@............................................text............................... ..`.rdata..............................@..@.data...8............\|..............@....pdata..8...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	177432
Entropy (8bit):	5.975354635226847
Encrypted:	false
SSDEEP:	3072:KXGEr/16/nJxNOJW5NT6X3l44K5WOSCSVRJNI7IM/cbP7RHs3J7VIGC7hN:Y/r/16/nDNPT6X3l1CMVS7i
MD5:	9B4E74FD1DE0F8A197E4AA1E16749186
SHA1:	833179B49EB27C9474B5189F59ED7ECF0E6DC9EA
SHA-256:	A4CE52A9E0DADDBBE7A539D1A7EDA787494F2173DDCC92A3FAF43B7CF597452B
SHA-512:	AE72B39CB47A859D07A1EE3E73DE655678FE809C5C17FFD90797B5985924DDB47CEB5EBE896E50216FB445526C4CBB95E276E5F3810035B50E4604363EB61CD4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U.k.4.8.4.8.4.8.L)8.4.8.H.9.4.8.H.9.4.8.H.9.4.8.H.9.4.8kI.9.4.8.4.8#5.8.L.9.4.8kI.9.4.8kI.9.4.8kIE8.4.8kI.9.4.8Rich.4.8........................PE..d......e.........." ...#............\,....................................................`......................................... ...d.......................8......../......x...@...T...............................@............................................text.............................. ..`.rdata...!......."..................@..@.data...(...........................@....pdata..8............^..............@..@.rsrc................j..............@..@.reloc..x............t..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\_uuid.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25368
Entropy (8bit):	6.6272949891352315
Encrypted:	false
SSDEEP:	384:lrfwHnEWGQiAQVIGZwJXHQIYiSy1pCQ4XAM+o/8E9VF0NyqzJSj:dQnEIHQVIGZw95YiSyv8AMxkEqw
MD5:	3C8737723A903B08D5D718336900FD8C
SHA1:	2AD2D0D50F6B52291E59503222B665B1823B0838
SHA-256:	BB418E91E543C998D11F9E65FD2A4899B09407FF386E059A88FE2A16AED2556B
SHA-512:	1D974EC1C96E884F30F4925CC9A03FB5AF78687A267DEC0D1582B5D7561D251FB733CF733E0CC00FAEE86F0FEF6F73D36A348F3461C6D34B0238A75F69320D10
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<p.R#.R#.R#...#.R#i.S".R#i.W".R#i.V".R#i.Q".R#..S".R#..S".R#.S#..R#..Z".R#..R".R#...#.R#..P".R#Rich.R#........................PE..d...]..e.........." ...#.....&...... ........................................p......wz....`.........................................`)..L....)..x....P.......@.......4.../...`..@...`#..T........................... "..@............ ..8............................text...h........................... ..`.rdata....... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..@....`.......2..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\_wmi.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36632
Entropy (8bit):	6.364173312940401
Encrypted:	false
SSDEEP:	768:PgMwnWGwMtUTA7LlVIGCilx5YiSyvzAMxkEaFy:PgMwWGJtGA7LlVIGCih7Syrx+g
MD5:	EE33F4C8D17D17AD62925E85097B0109
SHA1:	8C4A03531CF3DBFE6F378FDAB9699D51E7888796
SHA-256:	79ADCA5037D9145309D3BD19F7A26F7BB7DA716EE86E01073C6F2A9681E33DAD
SHA-512:	60B0705A371AD2985DB54A91F0E904EEA502108663EA3C3FB18ED54671BE1932F4F03E8E3FD687A857A5E3500545377B036276C69E821A7D6116B327F5B3D5C1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._\...=.@.=.@.=.@.En@.=.@.A.A.=.@.A.A.=.@.A.A.=.@.@.A.=.@.A.A.=.@PE.A.=.@.=.@A=.@PE.A.=.@.@.A.=.@.@.A.=.@.@.@.=.@.@.A.=.@Rich.=.@........PE..d..._..e.........." ...#.(...:.......&....................................................`..........................................T..H....T...............p..`....`.../......t...DG..T............................C..@............@.......S..@....................text...>&.......(.................. ..`.rdata..D....@... ...,..............@..@.data........`.......L..............@....pdata..`....p.......P..............@..@.rsrc................T..............@..@.reloc..t............^..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\aiohttp\_http_parser.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	264192
Entropy (8bit):	6.209859454972578
Encrypted:	false
SSDEEP:	6144:qV3aFwGtxiTjweCKvJ1+jLjJML5wir++JTCuG:qV3mxi3wDArolq5wiC
MD5:	40E99EAA1A21C1AA24F575855B52EEC0
SHA1:	0FE9B3B93F77D045B248C36BC5B5D5117C0176B3
SHA-256:	5F93DB706E799D00A3774CE14D078E272F8808867318C1183FDBE60D075D5F5D
SHA-512:	FAD6BF5BBCC7C54DC792A2AB9FAEFAB77DD15233BC86A566AB0B6F27128C0B0609D0E17469F373778A7122E5015D57AE8CA67BAD1D4BD47B92FCE95A47A7AA2C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............zY..zY..zY...Y..zY.q{X..zY.v{X..zY.r{X..zY..{Y..zY.qyX..zY.q~X..zY.q.X..zYuqrX..zYuqzX..zYuq.Y..zYuqxX..zYRich..zY........................PE..d....H?g.........." ...*.(...........+....................................................`.........................................@...........x....`.......@..$............p..\...P...................................@............@...............................text....'.......(.................. ..`.rdata......@.......,..............@..@.data....@..........................@....pdata..$....@......................@..@.rsrc........`......................@..@.reloc..\....p......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\aiohttp\_http_writer.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49664
Entropy (8bit):	5.798696651761287
Encrypted:	false
SSDEEP:	768:oPriCeqBiVwVJAQ8mK4fE0UYq0olSgEDmYgRE8tJQ:oprimVJtFxEqqAmYg20JQ
MD5:	1412E133574C3D73B77B4964A2A18FE3
SHA1:	240E4A6149FA4AFCE7E857D5544A2A0772F9C9EB
SHA-256:	9E33CAFEA557265EE254373F662ABCE9466952F0CCAE81F774A7F0D0CD34099F
SHA-512:	07C50CADDF6AE80E6CD30DD810F755656D6F6965DB0F9586FD9D339FB551D1F086209495B5AB69DF6339698F585372B4459F14D9AEBF316F4E242B2D0DBD0B94
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~..T:...:...:...3.].8...+d..8...Hc..8...+d..9...+d..2...+d..6...rg..9...:........d..;....d..;....d1.;....d..;...Rich:...........PE..d....H?g.........." ...*.z...........\|.......................................P............`............................................h...H...d....0....... ...............@......p...............................0...@...............P............................text....x.......z.................. ..`.rdata..20.......2...~..............@..@.data....N..........................@....pdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\aiohttp\_websocket\mask.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.654316966286352
Encrypted:	false
SSDEEP:	384:3FIKmzsyA2+kEyrMxA91WZqJ91cL9U0WJtqpTHl2zwu9L6lBw81eLaZ4Y1exetk0:3ehzcnygxA91bryrczTGbw8kLssqqTH
MD5:	1D59358DA065743D07FB455DE273A25E
SHA1:	82E99FF22B104ED0FE067A20C1B18C04B3155254
SHA-256:	148E0CFFDBCD02E3EB65A6BF2F2B9A8C45BC36C113D92CCDA40408A7D01A6DC9
SHA-512:	FE21A0010A543053919419FB31DD39E810F6EBAF1BC57DC5F89645F195901F354A57EA931AA464A208BB39C1AB0A7D1AC61D60D1B5F5EFED78570FAEC46B2DE6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..T2...2...2...;.M.0...#d..0...@c..0...#d..1...#d..:...#d..>...zg..1...2........d..3....d..3....d!.3....d..3...Rich2...........................PE..d....H?g.........." ....N...B......`P....................................................`......................................... {..X...x{..d...................................0s...............................q..@............`...............................text....L.......N.................. ..`.rdata...)...`......R..............@..@.data................\|..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\aiohttp\_websocket\reader_c.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	161792
Entropy (8bit):	6.09154494600188
Encrypted:	false
SSDEEP:	1536:WWN8oZXh2Y/m2/0+AMvRSDFxNYH/9Iw89qV406AgGkbJT0N6ctLU+XqiasgzvtaR:/GoVwY8M5bFIwoqRkYU0qikVXMNkqB
MD5:	5B741F2BCB063D276534D43979FC8945
SHA1:	7E4B63D4856BA1A720BD2CA68F0317B827E30886
SHA-256:	52009B3A55DC0721D7DD70A25C04CC714CE33A954EB2964AC47E527977EECF25
SHA-512:	A246CFAAC9C8D6F21C08EB9CF2F6D311747AF2F67EA6C38D6EE0C8C6CF8C78174425785C3F048038914DE1E93562697E6FEE435AFA5DF7372E0CE43DC67E72A9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b..E&...&...&.../.G."...7U..$...TR..$...7U.."...7U......7U.....nV..%...&........U..'....U..'....U+.'....U..'...Rich&...........PE..d....H?g.........." .....................................................................`......................................... N..`....N..x...............D...................`<.............................. ;..@............................................text............................... ..`.rdata...f.......h..................@..@.data...X$...p.......P..............@....pdata..D............f..............@..@.rsrc................t..............@..@.reloc...............v..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\attrs-24.2.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI68642\attrs-24.2.0.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	Unicode text, UTF-8 text, with very long lines (411)
Category:	dropped
Size (bytes):	11524
Entropy (8bit):	5.211520136058075
Encrypted:	false
SSDEEP:	192:ERsUfi6bkQk+k/kKkegToJWicnJsPVA1oz2dv7COmoKTACoEJdQ/0G6lWg+JdQV5:ERsXpLs3VoJWRnJsPvz2dDCHoKsLgA6z
MD5:	49CABCB5F8DA14C72C8C3D00ADB3C115
SHA1:	F575BECF993ECDF9C6E43190C1CB74D3556CF912
SHA-256:	DC9824E25AFD635480A8073038B3CDFE6A56D3073A54E1A6FB21EDD4BB0F207C
SHA-512:	923DAEEE0861611D230DF263577B3C382AE26400CA5F1830EE309BD6737EED2AD934010D61CDD4796618BEDB3436CD772D9429A5BED0A106EF7DE60E114E505C
Malicious:	false
Preview:	Metadata-Version: 2.3.Name: attrs.Version: 24.2.0.Summary: Classes Without Boilerplate.Project-URL: Documentation, https://www.attrs.org/.Project-URL: Changelog, https://www.attrs.org/en/stable/changelog.html.Project-URL: GitHub, https://github.com/python-attrs/attrs.Project-URL: Funding, https://github.com/sponsors/hynek.Project-URL: Tidelift, https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi.Author-email: Hynek Schlawack <hs@ox.cx>.License-Expression: MIT.License-File: LICENSE.Keywords: attribute,boilerplate,class.Classifier: Development Status :: 5 - Production/Stable.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Classifier: Programming Languag

C:\Users\user\AppData\Local\Temp\_MEI68642\attrs-24.2.0.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	3556
Entropy (8bit):	5.809424313364516
Encrypted:	false
SSDEEP:	96:Q9ewBtnJT/oPynEddwBbCobXm9qGmR5VXzskcGD+qLtxO:2ewnXJCKXGeR/XzKiO
MD5:	4B6973D2285295CF5E3A45E64EB7A455
SHA1:	1089F2F3C35303D6D5DD19F0C0F707B9609EE3F2
SHA-256:	2B368DFC37283970C33CC8D4EEC129F668EB99EBF9D3AA27F49A1B149658F2B0
SHA-512:	A5150ECB625A3CFDC3F22C60EB7B16FDBED01CD47505BD520491B477AE24E8C59FFAE2334948122E656F6F0A5F2AF0635B6D976241745583A3D7AF9E3781718D
Malicious:	false
Preview:	attr/__init__.py,sha256=l8Ewh5KZE7CCY0i1iDfSCnFiUTIkBVoqsXjX9EZnIVA,2087..attr/__init__.pyi,sha256=aTVHBPX6krCGvbQvOl_UKqEzmi2HFsaIVm2WKmAiqVs,11434..attr/__pycache__/__init__.cpython-312.pyc,,..attr/__pycache__/_cmp.cpython-312.pyc,,..attr/__pycache__/_compat.cpython-312.pyc,,..attr/__pycache__/_config.cpython-312.pyc,,..attr/__pycache__/_funcs.cpython-312.pyc,,..attr/__pycache__/_make.cpython-312.pyc,,..attr/__pycache__/_next_gen.cpython-312.pyc,,..attr/__pycache__/_version_info.cpython-312.pyc,,..attr/__pycache__/converters.cpython-312.pyc,,..attr/__pycache__/exceptions.cpython-312.pyc,,..attr/__pycache__/filters.cpython-312.pyc,,..attr/__pycache__/setters.cpython-312.pyc,,..attr/__pycache__/validators.cpython-312.pyc,,..attr/_cmp.py,sha256=3umHiBtgsEYtvNP_8XrQwTCdFoZIX4DEur76N-2a3X8,4123..attr/_cmp.pyi,sha256=U-_RU_UZOyPUEQzXE6RMYQQcjkZRY25wTH99sN0s7MM,368..attr/_compat.py,sha256=n2Uk3c-ywv0PkFfGlvqR7SzDXp4NOhWmNV_ZK6YfWoM,2958..attr/_config.py,sha256=z81Vt-GeT_2taxs1XZfmHx9TWlSxjP

C:\Users\user\AppData\Local\Temp\_MEI68642\attrs-24.2.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	87
Entropy (8bit):	4.730668933656452
Encrypted:	false
SSDEEP:	3:RtEeXAaCTQnP+tPCCfA5I:Rt2PcnWBB3
MD5:	52ADFA0C417902EE8F0C3D1CA2372AC3
SHA1:	B67635615EEF7E869D74F4813B5DC576104825DD
SHA-256:	D7215D7625CC9AF60AED0613AAD44DB57EBA589D0CCFC3D8122114A0E514C516
SHA-512:	BFA87E7B0E76E544C2108EF40B9FAC8C5FF4327AB8EDE9FEB2891BD5D38FEA117BD9EEBAF62F6C357B4DEADDAD5A5220E0B4A54078C8C2DE34CB1DD5E00F2D62
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: hatchling 1.25.0.Root-Is-Purelib: true.Tag: py3-none-any.

C:\Users\user\AppData\Local\Temp\_MEI68642\attrs-24.2.0.dist-info\licenses\LICENSE

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1109
Entropy (8bit):	5.104415762129373
Encrypted:	false
SSDEEP:	24:bGf8rUrmJHHH0yN3gtsHw1hC09QHOsUv4eOk4/+/m3oqLFh:bW8rUaJHlxE3dQHOs5exm3ogFh
MD5:	5E55731824CF9205CFABEAB9A0600887
SHA1:	243E9DD038D3D68C67D42C0C4BA80622C2A56246
SHA-256:	882115C95DFC2AF1EEB6714F8EC6D5CBCABF667CAFF8729F42420DA63F714E9F
SHA-512:	21B242BF6DCBAFA16336D77A40E69685D7E64A43CC30E13E484C72A93CD4496A7276E18137DC601B6A8C3C193CB775DB89853ECC6D6EB2956DEEE36826D5EBFE
Malicious:	false
Preview:	The MIT License (MIT)..Copyright (c) 2015 Hynek Schlawack and the attrs contributors..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in all.copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHE

C:\Users\user\AppData\Local\Temp\_MEI68642\base_library.zip

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1329520
Entropy (8bit):	5.586627513342047
Encrypted:	false
SSDEEP:	12288:uttcY+b+2OGgRF1+fYNXPh26UZWAzCu7jqD9KwdgkVDdYuP0whsA9gCCaYchQ:uttcY+PnCiCAqoNqDdYuPVzEaYchQ
MD5:	9B3C32B54CF69405030D2F787FB0C7DF
SHA1:	B2D906EF86EECEB934E84ACA6985599854B70AE1
SHA-256:	7A55058782C4FEBED8EA12B4CAFF9257ED22F22B3E25BA80593E4265A1E099E8
SHA-512:	40ABBAFA11E80E83514DB17342B0271C4FD23C2380EC7BCAE97F318101561EF64F964BAEC7A6D2AD74111572473C6A728277CEBDEA8BDBEC3192D6A0A958A462
Malicious:	false
Preview:	PK..........!.x[_C............_collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z..e........Z..e.e........Z+ejY............................[d...Z-..e-........

C:\Users\user\AppData\Local\Temp\_MEI68642\certifi\cacert.pem

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI68642\charset_normalizer\md.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.817893239381772
Encrypted:	false
SSDEEP:	192:MRv9XFCk2z1/t12iwU5usJFcCyD9cqgE:aVVC5djuUFJKtgE
MD5:	71D96F1DBFCD6F767D81F8254E572751
SHA1:	E70B74430500ED5117547E0CD339D6E6F4613503
SHA-256:	611E1B4B9ED6788640F550771744D83E404432830BB8E3063F0B8EC3B98911AF
SHA-512:	7B10E13B3723DB0E826B7C7A52090DE999626D5FA6C8F9B4630FDEEF515A58C40660FA90589532A6D4377F003B3CB5B9851E276A0B3C83B9709E28E6A66A1D32
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k............r_...........r................................................3..........Rich....................PE..d... $.g.........." ...).....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124928
Entropy (8bit):	5.935676608756784
Encrypted:	false
SSDEEP:	1536:BETt3OiaqGB7QNX6Pq4a461TDqFRgMzrOH+d3gdy2iIeP/j3bhouROm:Bmt+is7QNqP1ab1TGb9g/iI4bhouROm
MD5:	D8F690EAE02332A6898E9C8B983C56DD
SHA1:	112C1FE25E0D948F767E02F291801C0E4AE592F0
SHA-256:	C6BB8CAD80B8D7847C52931F11D73BA64F78615218398B2C058F9B218FF21CA9
SHA-512:	E732F79F39BA9721CC59DBE8C4785FFD74DF84CA00D13D72AFA3F96B97B8C7ADF4EA9344D79EE2A1C77D58EF28D3DDCC855F3CB13EDDA928C17B1158ABCC5B4A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........yB....................7...............7.......7.......7.......6..........C....6.......6.......6.......6......Rich............................PE..d....$.g.........." ...).@...........B.......................................0............`.............................................d.................................... ......@...................................@............P...............................text....>.......@.................. ..`.rdata..PY...P...Z...D..............@..@.data....=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\cryptography-43.0.3.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI68642\cryptography-43.0.3.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	5440
Entropy (8bit):	5.074230645519915
Encrypted:	false
SSDEEP:	96:DloQIUQIhQIKQILbQIRIaMPktjaVxsxA2TLLDmplH7dwnqTIvrUmA0JQTQCQx5KN:RcPuP1srTLLDmplH7JTIvYX0JQTQ9x54
MD5:	C891CD93024AF027647E6DE89D0FFCE2
SHA1:	01D8D6F93F1B922A91C82D4711BCEFB885AD47B0
SHA-256:	EB36E0E4251E8479EF36964440755EF22BEDD411BA87A93F726FA8E5BB0E64B0
SHA-512:	3386FBB3DCF7383B2D427093624C531C50BE34E3E0AA0984547B953E04776D0D431D5267827F4194A9B0AD1AB897869115623E802A6A1C5D2AE1AD82C96CCE71
Malicious:	false
Preview:	Metadata-Version: 2.3.Name: cryptography.Version: 43.0.3.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: License :: OSI Approved :: BSD License.Classifier: Natural Language :: English.Classifier: Operating System :: MacOS :: MacOS X.Classifier: Operating System :: POSIX.Classifier: Operating System :: POSIX :: BSD.Classifier: Operating System :: POSIX :: Linux.Classifier: Operating System :: Microsoft :: Windows.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Classif

C:\Users\user\AppData\Local\Temp\_MEI68642\cryptography-43.0.3.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	15579
Entropy (8bit):	5.5664904316569785
Encrypted:	false
SSDEEP:	192:1XeTBL1z5jF4E9VqhXJZ4WPB6s7B0Ppz+NX6in5Lqw/I+B:1XkL1hCEsJrPB6s7B0Ppz+96innVB
MD5:	4DECFB7B4491D572BFEF7359B48F44FC
SHA1:	A4A4D4BF35021D7402922CA58E1E29AE564524FD
SHA-256:	2538AB429E324FDDEAC70C8C511E24E9FAF5DC8D531D910B1A6FF17C13C5D536
SHA-512:	CE05550E47B778EAB691191A9B08C53F4BE8C3F371C5831B901D17535237A45E46F8362A1BC365DBDEF45FF7AFF475EAA4517FB43F715A4F92481F014EF2E18F
Malicious:	false
Preview:	cryptography-43.0.3.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-43.0.3.dist-info/METADATA,sha256=6zbg5CUehHnvNpZEQHVe8ivt1BG6h6k_cm-o5bsOZLA,5440..cryptography-43.0.3.dist-info/RECORD,,..cryptography-43.0.3.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-43.0.3.dist-info/WHEEL,sha256=8_4EnrLvbhzH224YH8WypoB7HFn-vpbwr_zHlr3XUBI,94..cryptography-43.0.3.dist-info/license_files/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-43.0.3.dist-info/license_files/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-43.0.3.dist-info/license_files/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography/__about__.py,sha256=-FkHKD9mSuEfH37wsSKnQzJZmL5zUAUTpB5OeUQjPE0,445..cryptography/__init__.py,sha256=mthuUrTd4FROCpUYrTIqhjz6s6T9djAZrV7nZ1oMm2o,364..cryptography/__pycache__/__about__.cpython-312.pyc,,..cryptography/__pycache__/__ini

C:\Users\user\AppData\Local\Temp\_MEI68642\cryptography-43.0.3.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	5.016084900984752
Encrypted:	false
SSDEEP:	3:RtEeX5pGogP+tkKciH/KQb:RtvoTWKTQb
MD5:	C869D30012A100ADEB75860F3810C8C9
SHA1:	42FD5CFA75566E8A9525E087A2018E8666ED22CB
SHA-256:	F3FE049EB2EF6E1CC7DB6E181FC5B2A6807B1C59FEBE96F0AFFCC796BDD75012
SHA-512:	B29FEAF6587601BBE0EDAD3DF9A87BFC82BB2C13E91103699BABD7E039F05558C0AC1EF7D904BCFAF85D791B96BC26FA9E39988DD83A1CE8ECCA85029C5109F0
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: maturin (1.7.0).Root-Is-Purelib: false.Tag: cp39-abi3-win_amd64.

C:\Users\user\AppData\Local\Temp\_MEI68642\cryptography-43.0.3.dist-info\license_files\LICENSE

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	197
Entropy (8bit):	4.61968998873571
Encrypted:	false
SSDEEP:	3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
MD5:	8C3617DB4FB6FAE01F1D253AB91511E4
SHA1:	E442040C26CD76D1B946822CAF29011A51F75D6D
SHA-256:	3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
SHA-512:	77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
Malicious:	false
Preview:	This software is made available under the terms of either of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of both these licenses..

C:\Users\user\AppData\Local\Temp\_MEI68642\cryptography-43.0.3.dist-info\license_files\LICENSE.APACHE

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11360
Entropy (8bit):	4.426756947907149
Encrypted:	false
SSDEEP:	192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
MD5:	4E168CCE331E5C827D4C2B68A6200E1B
SHA1:	DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
SHA-256:	AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
SHA-512:	F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

C:\Users\user\AppData\Local\Temp\_MEI68642\cryptography-43.0.3.dist-info\license_files\LICENSE.BSD

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1532
Entropy (8bit):	5.058591167088024
Encrypted:	false
SSDEEP:	24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
MD5:	5AE30BA4123BC4F2FA49AA0B0DCE887B
SHA1:	EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
SHA-256:	602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
SHA-512:	DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
Malicious:	false
Preview:	Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

C:\Users\user\AppData\Local\Temp\_MEI68642\cryptography\hazmat\bindings\_rust.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7834624
Entropy (8bit):	6.517862303223651
Encrypted:	false
SSDEEP:	49152:oFNZj7fIo9W67PapgzJTkrXyzNzpXAbuiqCgIns3mYEXEqMrIU6i7GtlqdVwASO/:QI9X/gIFYEXME+oFNr5VQCJheq4BsxH
MD5:	BFD28B03A4C32A9BCB001451FD002F67
SHA1:	DD528FD5F4775E16B2E743D3188B66F1174807B2
SHA-256:	8EF0F404A8BFF12FD6621D8F4F209499613F565777FE1C2A680E8A18F312D5A7
SHA-512:	6DC39638435F147B399826E34F78571D7ED2ED1232275E213A2B020224C0645E379F74A0CA5DE86930D3348981C8BB03BBBECFA601F8BA781417E7114662DDEE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.b.6...6...6...?..$...&9..4...&9..2...&9..>...&9..'...}...8...Y<..5...6...2...~8..I...6.......~8..7...~8..7...Rich6...........PE..d......g.........." ...)..Y..$........W.......................................w...........`..........................................q.....l.q.............. s...............w......zi.T....................{i.(...Pyi.@.............Y..............................text...k.Y.......Y................. ..`.rdata...A....Y..B....Y.............@..@.data...@+....q.......q.............@....pdata....... s.......r.............@..@.reloc........w.......v.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\frozenlist\_frozenlist.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	87040
Entropy (8bit):	5.9471652810047235
Encrypted:	false
SSDEEP:	1536:NIf505ZC316pwJV0Jzn4pyOJ8RMrpLkFb0GZi8fR3px7F:Q66gFlmrpLkFwGTp3pt
MD5:	5A5BD0B8845F5A47ECFC2C55ABE7413C
SHA1:	D4B2E85D30480573FEFBC413C4F7B81FA67115E1
SHA-256:	8BE6E6CC104018C0DC1AE0694330F44B94FABB6C50EEC086373DDF24117D78A7
SHA-512:	B2C24C3C5D59A4987F36DFCF677227C020BB632B7155E99D7405516BD855B03965F3FC3558E8637DA1B4E65E7EF7C5D2EA33B338BAEAE72F62017ED682D19651
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.5VK.fVK.fVK.f_3DfRK.fF..gTK.f.3.gTK.fF..gUK.fF..g^K.fF..g[K.f...gUK.fVK.f.K.f...gWK.f...gWK.f..(fWK.f...gWK.fRichVK.f........PE..d.....g.........." ...).....v............................................................`..........................................7..h...x7..x............p..(....................&..............................P%..@...............@............................text............................... ..`.rdata...J.......L..................@..@.data...h....P.......6..............@....pdata..(....p.......D..............@..@.rsrc................P..............@..@.reloc...............R..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5162776
Entropy (8bit):	5.958207976652471
Encrypted:	false
SSDEEP:	98304:S3+FRtLtlVriXpshX179Cahd4tC9P1+1CPwDvt3uFlDCi:ASRtLtvd99Cahd4tC9w1CPwDvt3uFlDz
MD5:	51E8A5281C2092E45D8C97FBDBF39560
SHA1:	C499C810ED83AAADCE3B267807E593EC6B121211
SHA-256:	2A234B5AA20C3FAECF725BBB54FB33F3D94543F78FA7045408E905593E49960A
SHA-512:	98B91719B0975CB38D3B3C7B6F820D184EF1B64D38AD8515BE0B8B07730E2272376B9E51631FE9EFD9B8A1709FEA214CF3F77B34EEB9FD282EB09E395120E7CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d...x..e.........." ...#..6..*......v.........................................O.......O...`.........................................0.G.0.....M.@....0N.\|.....K.\.....N../...@N.....PsC.8............................qC.@.............M..............................text...4.6.......6................. ..`.rdata..`.....6.......6.............@..@.data....n....J..<....J.............@....pdata........K.......J.............@..@.idata...%....M..&....M.............@..@.00cfg..u.... N.......M.............@..@.rsrc...\|....0N.......M.............@..@.reloc..k....@N.......M.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	790296
Entropy (8bit):	5.607732992846443
Encrypted:	false
SSDEEP:	6144:7aO1lo7USZGjweMMHO4+xuVg7gCl2VdhMd1DdwMVn4TERUr3zgKpJJ/wknofFe9A:FkeMKOr97gCAE35gEGzLpwknofFe9XbE
MD5:	BFC834BB2310DDF01BE9AD9CFF7C2A41
SHA1:	FB1D601B4FCB29FF1B13B0D2ED7119BD0472205C
SHA-256:	41AD1A04CA27A7959579E87FBBDA87C93099616A64A0E66260C983381C5570D1
SHA-512:	6AF473C7C0997F2847EBE7CEE8EF67CD682DEE41720D4F268964330B449BA71398FDA8954524F9A97CC4CDF9893B8BDC7A1CF40E9E45A73F4F35A37F31C6A9C3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T..T..T..].3.Z....V......V....X....\....P....W..T..I....e....U.._.U....U..RichT..........PE..d......e.........." ...#.6..........K........................................0.......w....`..........................................w...Q..............s.... ..pM......./......`... ...8...............................@............................................text....4.......6.................. ..`.rdata...y...P...z...:..............@..@.data....N.......H..................@....pdata..XV... ...X..................@..@.idata..bc.......d...T..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..?...........................@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\multidict\_multidict.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.417086235508803
Encrypted:	false
SSDEEP:	768:67CE1/NMVzMoCQVbrw0k6To3OOG/B+jPSrSRNj4bSM2V:QruzMoNrNTo3OOG/eRF4be
MD5:	4EED96BBB1C4B6D63F50C433E9C0A16A
SHA1:	CDE34E8F1DAC7F4E98D2B0AAF1186C6938DE06C3
SHA-256:	B521B7E3B6BED424A0719C36735BC4BF2BB8B0926370B31C221C604E81F8D78B
SHA-512:	1CACB250D867FCBBC5224C3F66CB23A93F818BC1D0524CAD6D1C52295D243AF10F454FDE13FA58671D3EE62281A2A3F71A69F28B08FD942FCEDBA3C9B09A774A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v`.2...2...2...;y..0..."...0...yy..0..."...1..."...:..."...9...!...1...2...G...z...3...z...3...z.s.3...z...3...Rich2...................PE..d....}.f.........." ...).\...^...... `....................................................`.............................................d...$...d...............x...............,...................................P...@............p...............................text....[.......\.................. ..`.rdata...+...p...,...`..............@..@.data...."..........................@....pdata..x...........................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\propcache\_helpers_c.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	75264
Entropy (8bit):	5.884143909360528
Encrypted:	false
SSDEEP:	1536:lqJRuicm7rbNAx366qHC2ajmjZ1mQpheRx/gF:lqJRuiTHpq5qi2amd1XpheRx/gF
MD5:	93CCD2B7284BDC745F1ADBB8F0927F26
SHA1:	30043D4DAD9A909B2D0841D279F5266F00315AD9
SHA-256:	C8C7C9259A47961321B6D913B3CB70215A37B9CFF1DBDE9E9CBC3250C1B5AD77
SHA-512:	1DD365345FF334183A1A4AD959EC07A732836D6F1768E935462F0EA62F24F50EE62FB1324FCD813EF7BC40ED092C33F5D5BF70B8D016B67BE9A9274DAD2868D6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T........?..............................................W.................S.........Rich..........................PE..d...V..g.........." ...).....l...............................................p............`.............................................d.......d....P.......@...............`..T...@...................................@............................................text...H........................... ..`.rdata..*E.......F..................@..@.data........ ......................@....pdata.......@......................@..@.rsrc........P......."..............@..@.reloc..T....`.......$..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	5.909456553599775
Encrypted:	false
SSDEEP:	1536:j3sHmR02IvVxv7WCyKm7c5Th4JBHTOvyyaZE:jnIvryCyKx5Th4J5OvyyO
MD5:	49AC12A1F10AB93FAFAB064FD0523A63
SHA1:	3AD6923AB0FB5D3DD9D22ED077DB15B42C2FBD4F
SHA-256:	BA033B79E858DBFCBA6BF8FB5AFE10DEFD1CB03957DBBC68E8E62E4DE6DF492D
SHA-512:	1BC0F50E0BB0A9D9DDDAD31390E5C73B0D11C2B0A8C5462065D477E93FF21F7EDC7AA2B2B36E478BE0A797A38F43E3FBEB6AAABEF0BADEC1D8D16EB73DF67255
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nT..5..5..5..#M2. 5..x@..(5..x@..&5..x@.."5..x@...5...k..(5..aM..;5..5...5...@..:5...@..+5...@^.+5...@..+5..Rich*5..................PE..d...._.g.........." .........h......\........................................@............`.........................................0...`.......@.... .......................0..(.......................................8............................................text...h........................... ..`.rdata..\I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\pyexpat.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	200472
Entropy (8bit):	6.382659996286758
Encrypted:	false
SSDEEP:	3072:mhaQEuYCUDWuc7VmkqrgVrLJEKAAKJadAT0nIgjWdopPb/+mVApIGLhSZ:yaJh6v7VRVrLJEKAABiuXKd4GE
MD5:	F554064233C082F98EF01195693D967D
SHA1:	F191D42807867E0174DDC66D04C45250D9F6561E
SHA-256:	E1D56FFBF5E5FAB481D7A14691481B8FF5D2F4C6BF5D1A4664C832756C5942FE
SHA-512:	3573A226305CEC45333FC4D0E6FC0C3357421AD77CD8A1899C90515994351292EE5D1C445412B5563AA02520736E870A9EE879909CD992F5BE32E877792BDB88
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................g.................................h.......................h.......h.......h.......h.......Rich....................PE..d...Z..e.........." ...#............0...............................................2.....`.............................................P...`............................/..........P4..T............................3..@............ ...............................text.../........................... ..`.rdata..4.... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\python3.dll

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68376
Entropy (8bit):	6.14883904573939
Encrypted:	false
SSDEEP:	768:3V1EbYGVXq6KC/prVHBN0cW18itCQDFPnOMFn+gikF/nFX14uewjBcCCC0yamM/J:3DmF61JFn+/OipIGL0m7Sy0xG
MD5:	77896345D4E1C406EEFF011F7A920873
SHA1:	EE8CDD531418CFD05C1A6792382D895AC347216F
SHA-256:	1E9224BA7190B6301EF47BEFA8E383D0C55700255D04A36F7DAC88EA9573F2FB
SHA-512:	3E98B1B605D70244B42A13A219F9E124944DA199A88AD4302308C801685B0C45A037A76DED319D08DBF55639591404665BEFE2091F0F4206A9472FEE58D55C22
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C..."e.."e.."e.0_m.."e.0_e.."e.0_..."e.0_g.."e.Rich."e.................PE..d...@..e.........." ...#............................................................q.....`.........................................`...H................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\python312.dll

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6972184
Entropy (8bit):	5.774196030396665
Encrypted:	false
SSDEEP:	98304:B6vwRS7fYzmSSVlLWyJVT7OQvxHDMiEPlk:8vwRHTSVlfJVmir
MD5:	5C5602CDA7AB8418420F223366FFF5DB
SHA1:	52F81EE0AEF9B6906F7751FD2BBD4953E3F3B798
SHA-256:	E7890E38256F04EE0B55AC5276BBF3AC61392C3A3CE150BB5497B709803E17CE
SHA-512:	51C3B4F29781BB52C137DDB356E1BC5A37F3A25F0ED7D89416B14ED994121F884CB3E40CCDBB211A8989E3BD137B8DF8B28E232F98DE8F35B03965CFCE4B424F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................m.................x...s...x......x......x......Rich............PE..d...=..e.........." ...#..(..6B.....l........................................@k.......k...`......................................... .O.......O.......i......``..V...4j../....i..X.. I3.T....................7I.(....G3.@.............(..............................text...V.(.......(................. ..`.rdata...A'...(..B'...(.............@..@.data....4... P..x....O.............@....pdata...V...``..X...v_.............@..@PyRuntim......b.......a.............@....rsrc.........i.......h.............@..@.reloc...X....i..Z....h.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\pywin32_system32\pywintypes312.dll

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	136192
Entropy (8bit):	6.007891413043079
Encrypted:	false
SSDEEP:	3072:ZaklTxm5xclSlX8fY/r06Yr0UWm63ELUAXkXrT4:wklTxm5xAhY/rkwNm2E4AXk
MD5:	DA0E290BA30FE8CC1A44EEEFCF090820
SHA1:	D38FCCD7D6F54AA73BD21F168289D7DCE1A9D192
SHA-256:	2D1D60B996D1D5C56C24313D97E0FCDA41A8BD6BF0299F6EA4EB4A1E25D490B7
SHA-512:	BC031D61E5772C60CBAC282D05F76D81AF1AA2A29A8602C2EFA05FC0CE1079390999336237560B408E6539A77C732F5066C1590B7FEAEDB24BAA9371783F2A8F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.I+.z'x.z'x.z'x...x.z'xW.&y.z'xc..x.z'xW."y.z'xW.#y.z'xW.$y.z'xN.#y.z'xM.&y.z'xN.&y.z'x.z&x.z'x...y.z'x..'y.z'x..%y.z'xRich.z'x................PE..d......g.........." .........................................................`............`.........................................0...lB......,....@..l.... ...............P..0....a..T............................b..8............................................text...I........................... ..`.rdata..(...........................@..@.data....-.......(..................@....pdata....... ......................@..@.rsrc...l....@......................@..@.reloc..0....P......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\select.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31000
Entropy (8bit):	6.531624163477087
Encrypted:	false
SSDEEP:	768:s7ENJKHq1vv38pIGQGE5YiSyvTcAMxkEMrX:s7ENJKK1vv38pIGQGO7Syb6xuX
MD5:	BFFFF83A000BAF559F3EB2B599A1B7E8
SHA1:	7F9238BDA6D0C7CC5399C6B6AB3B42D21053F467
SHA-256:	BC71FBDFD1441D62DD86D33FF41B35DC3CC34875F625D885C58C8DC000064DAB
SHA-512:	3C0BA0CF356A727066AE0D0D6523440A882AAFB3EBDF70117993EFFD61395DEEBF179948F8C7F5222D59D1ED748C71D9D53782E16BD2F2ECCC296F2F8B4FC948
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t.q\|'.q\|'.q\|'...'.q\|'q.}&.q\|'q.y&.q\|'q.x&.q\|'q..&.q\|'..}&.q\|'.q}'.q\|'..}&.q\|'..q&.q\|'..\|&.q\|'...'.q\|'..~&.q\|'Rich.q\|'........PE..d...Z..e.........." ...#.....2............................................................`..........................................@..L...,A..x....p.......`.......J.../......L....3..T............................2..@............0...............................text...v........................... ..`.rdata.......0......................@..@.data........P.......8..............@....pdata.......`.......:..............@..@.rsrc........p.......>..............@..@.reloc..L............H..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\LICENSE

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11358
Entropy (8bit):	4.4267168336581415
Encrypted:	false
SSDEEP:	192:nU6G5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEn7HbHR:U9vlKM1zJlFvmNz5VrlkTS07Ht
MD5:	3B83EF96387F14655FC854DDC3C6BD57
SHA1:	2B8B815229AA8A61E483FB4BA0588B8B6C491890
SHA-256:	CFC7749B96F63BD31C3C42B5C471BF756814053E847C10F3EB003417BC523D30
SHA-512:	98F6B79B778F7B0A15415BD750C3A8A097D650511CB4EC8115188E115C47053FE700F578895C097051C9BC3DFB6197C2B13A15DE203273E1A3218884F86E90E8
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. http://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial own

C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4648
Entropy (8bit):	5.006900644756252
Encrypted:	false
SSDEEP:	96:Dx2ZSaCSmS8R902Vpnu386eLQ9Ac+fFZpDN00x2jZ2SBXZJSwTE:9Smzf02Vpnu386mQ9B+TP0vJHJSwTE
MD5:	98ABEAACC0E0E4FC385DFF67B607071A
SHA1:	E8C830D8B0942300C7C87B3B8FD15EA1396E07BD
SHA-256:	6A7B90EFFEE1E09D5B484CDF7232016A43E2D9CC9543BCBB8E494B1EC05E1F59
SHA-512:	F1D59046FFA5B0083A5259CEB03219CCDB8CC6AAC6247250CBD83E70F080784391FCC303F7630E1AD40E5CCF5041A57CB9B68ADEFEC1EBC6C31FCF7FFC65E9B7
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: importlib_metadata.Version: 8.0.0.Summary: Read metadata from Python packages.Author-email: "Jason R. Coombs" <jaraco@jaraco.com>.Project-URL: Source, https://github.com/python/importlib_metadata.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.License-File: LICENSE.Requires-Dist: zipp >=0.5.Requires-Dist: typing-extensions >=3.6.4 ; python_version < "3.8".Provides-Extra: doc.Requires-Dist: sphinx >=3.5 ; extra == 'doc'.Requires-Dist: jaraco.packaging >=9.3 ; extra == 'doc'.Requires-Dist: rst.linker >=1.9 ; extra == 'doc'.Requires-Dist: furo ; extra == 'doc'.Requires-Dist: sphinx-lint ; extra == 'doc'.Requires-Dist: jaraco.tidelift >=1.4 ; extra == 'doc'.Provides-Extra: perf.Requires-D

C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2518
Entropy (8bit):	5.6307766747793275
Encrypted:	false
SSDEEP:	48:UnuXTg06U5J/Vw9l/gfNX7/XzBk9pvJq/fwJOfYrBfnJ/V0XJnzN/3WJV:bXzP/EgdzzBkDJsoIYrBfJ/CXNz9qV
MD5:	EB513CAFA5226DDA7D54AFDCC9AD8A74
SHA1:	B394C7AEC158350BAF676AE3197BEF4D7158B31C
SHA-256:	0D8D3C6EEB9EBBE86CAC7D60861552433C329DA9EA51248B61D02BE2E5E64030
SHA-512:	A0017CFAFF47FDA6067E3C31775FACEE4728C3220C2D4BD70DEF328BD20AA71A343E39DA15CD6B406F62311894C518DFCF5C8A4AE6F853946F26A4B4E767924E
Malicious:	false
Preview:	importlib_metadata-8.0.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..importlib_metadata-8.0.0.dist-info/LICENSE,sha256=z8d0m5b2O9McPEK1xHG_dWgUBT6EfBDz6wA0F7xSPTA,11358..importlib_metadata-8.0.0.dist-info/METADATA,sha256=anuQ7_7h4J1bSEzfcjIBakPi2cyVQ7y7jklLHsBeH1k,4648..importlib_metadata-8.0.0.dist-info/RECORD,,..importlib_metadata-8.0.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..importlib_metadata-8.0.0.dist-info/WHEEL,sha256=mguMlWGMX-VHnMpKOjjQidIo1ssRlCFu4a4mBpz1s2M,91..importlib_metadata-8.0.0.dist-info/top_level.txt,sha256=CO3fD9yylANiXkrMo4qHLV_mqXL2sC5JFKgt1yWAT-A,19..importlib_metadata/__init__.py,sha256=tZNB-23h8Bixi9uCrQqj9Yf0aeC--Josdy3IZRIQeB0,33798..importlib_metadata/__pycache__/__init__.cpython-312.pyc,,..importlib_metadata/__pycache__/_adapters.cpython-312.pyc,,..importlib_metadata/__pycache__/_collections.cpython-312.pyc,,..importlib_metadata/__pycache__/_compat.cpython-312.pyc,,..importlib_metadata/__pycac

C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	91
Entropy (8bit):	4.687870576189661
Encrypted:	false
SSDEEP:	3:RtEeXMRYFAVLMvhRRP+tPCCfA5S:RtC1VLMvhjWBBf
MD5:	7D09837492494019EA51F4E97823D79F
SHA1:	7829B4324BB542799494131A270EC3BDAD4DEDEF
SHA-256:	9A0B8C95618C5FE5479CCA4A3A38D089D228D6CB1194216EE1AE26069CF5B363
SHA-512:	A0063220ECDD22C3E735ACFF6DE559ACF3AC4C37B81D37633975A22A28B026F1935CD1957C0FF7D2ECC8B7F83F250310795EECC5273B893FFAB115098F7B9C38
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: setuptools (70.1.1).Root-Is-Purelib: true.Tag: py3-none-any..

C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\top_level.txt

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	19
Entropy (8bit):	3.536886723742169
Encrypted:	false
SSDEEP:	3:JSej0EBERG:50o4G
MD5:	A24465F7850BA59507BF86D89165525C
SHA1:	4E61F9264DE74783B5924249BCFE1B06F178B9AD
SHA-256:	08EDDF0FDCB29403625E4ACCA38A872D5FE6A972F6B02E4914A82DD725804FE0
SHA-512:	ECF1F6B777970F5257BDDD353305447083008CEBD8E5A27C3D1DA9C7BDC3F9BF3ABD6881265906D6D5E11992653185C04A522F4DB5655FF75EEDB766F93D5D48
Malicious:	false
Preview:	importlib_metadata.

C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text, with very long lines (888)
Category:	dropped
Size (bytes):	1335
Entropy (8bit):	4.226823573023539
Encrypted:	false
SSDEEP:	24:FP6Hbz+g9RPZ14bJi04L6GEbX4UQF4UkZQhxI2EIhNyu:9E+i6bJmLm43+Uxxnh0u
MD5:	4CE7501F6608F6CE4011D627979E1AE4
SHA1:	78363672264D9CD3F72D5C1D3665E1657B1A5071
SHA-256:	37FEDCFFBF73C4EB9F058F47677CB33203A436FF9390E4D38A8E01C9DAD28E0B
SHA-512:	A4CDF92725E1D740758DA4DD28DF5D1131F70CEF46946B173FE6956CC0341F019D7C4FECC3C9605F354E1308858721DADA825B4C19F59C5AD1CE01AB84C46B24
Malicious:	false
Preview:	Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum..Curabitur pretium tincidunt lacus. Nulla gravida orci a odio. Nullam varius, turpis et commodo pharetra, est eros bibendum elit, nec luctus magna felis sollicitudin mauris. Integer in mauris eu nibh euismod gravida. Duis ac tellus et risus vulputate vehicula. Donec lobortis risus a elit. Etiam tempor. Ut ullamcorper, ligula eu tempor congue, eros est euismod turpis, id tincidunt sapien risus a quam. Maecenas fermentum consequat mi. Donec fermentum. Pellentesque malesuada nulla a mi. Duis sapien sem, aliquet nec, commodo eget, consequat quis, neque.

C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\wheel-0.43.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1107
Entropy (8bit):	5.115074330424529
Encrypted:	false
SSDEEP:	24:PWmrRONJHLH0cPP3gtkHw1h39QHOsUv4eOk4/+jvho3nPz:ttONJbbvE/NQHOs5eNS3n7
MD5:	7FFB0DB04527CFE380E4F2726BD05EBF
SHA1:	5B39C45A91A556E5F1599604F1799E4027FA0E60
SHA-256:	30C23618679108F3E8EA1D2A658C7CA417BDFC891C98EF1A89FA4FF0C9828654
SHA-512:	205F284F3A7E8E696C70ED7B856EE98C1671C68893F0952EEC40915A383BC452B99899BDC401F9FE161A1BF9B6E2CEA3BCD90615EEE9173301657A2CE4BAFE14
Malicious:	false
Preview:	MIT License..Copyright (c) 2012 Daniel Holth <dholth@fastmail.fm> and contributors..Permission is hereby granted, free of charge, to any person obtaining a.copy of this software and associated documentation files (the "Software"),.to deal in the Software without restriction, including without limitation.the rights to use, copy, modify, merge, publish, distribute, sublicense,.and/or sell copies of the Software, and to permit persons to whom the.Software is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included.in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL.THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR.OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERW

C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\wheel-0.43.0.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	2153
Entropy (8bit):	5.088249746074878
Encrypted:	false
SSDEEP:	48:DEhpFu5MktjaywDK48d+md+7uT8RfkD1UKd+mOl1Awry:DEhpiMktjayq/7kOfsUzmbYy
MD5:	EBEA27DA14E3F453119DC72D84343E8C
SHA1:	7CEB6DBE498B69ABF4087637C6F500742FF7E2B4
SHA-256:	59BAC22B00A59D3E5608A56B8CF8EFC43831A36B72792EE4389C9CD4669C7841
SHA-512:	A41593939B9325D40CB67FD3F41CD1C9E9978F162487FB469094C41440B5F48016B9A66BE2E6E4A0406D6EEDB25CE4F5A860BA1E3DC924B81F63CEEE3AE31117
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: wheel.Version: 0.43.0.Summary: A built-package format for Python.Keywords: wheel,packaging.Author-email: Daniel Holth <dholth@fastmail.fm>.Maintainer-email: Alex Gr.nholm <alex.gronholm@nextday.fi>.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Requires-Dist: pytest >= 6.0.0 ; extra == "test".Requires-Dist: setuptools >= 65 ; extra == "test".Project-URL: Changelog, https://wheel.readthedocs.io/en/s

C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\wheel-0.43.0.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	4557
Entropy (8bit):	5.714200636114494
Encrypted:	false
SSDEEP:	96:QXVuEmegx01TQIvFCiq9H/H7vp88FxTXiJPkGJP4CWweXQHmnDpMI78IegK5EeZR:QXVxAbYkU4CWweXQHmnDpMeV2BvTRqQF
MD5:	44D352C4997560C7BFB82D9360F5985A
SHA1:	BE58C7B8AB32790384E4E4F20865C4A88414B67A
SHA-256:	783E654742611AF88CD9F00BF01A431A219DB536556E63FF981C7BD673070AC9
SHA-512:	281B1D939A560E6A08D0606E5E8CE15F086B4B45738AB41ED6B5821968DC8D764CD6B25DB6BA562A07018C271ABF17A6BC5A380FAD05696ADF1D11EE2C5749C8
Malicious:	false
Preview:	../../bin/wheel,sha256=cT2EHbrv-J-UyUXu26cDY-0I7RgcruysJeHFanT1Xfo,249..wheel-0.43.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..wheel-0.43.0.dist-info/LICENSE.txt,sha256=MMI2GGeRCPPo6h0qZYx8pBe9_IkcmO8aifpP8MmChlQ,1107..wheel-0.43.0.dist-info/METADATA,sha256=WbrCKwClnT5WCKVrjPjvxDgxo2tyeS7kOJyc1GaceEE,2153..wheel-0.43.0.dist-info/RECORD,,..wheel-0.43.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..wheel-0.43.0.dist-info/WHEEL,sha256=EZbGkh7Ie4PoZfRQ8I0ZuP9VklN_TvcZ6DSE5Uar4z4,81..wheel-0.43.0.dist-info/entry_points.txt,sha256=rTY1BbkPHhkGMm4Q3F0pIzJBzW2kMxoG1oriffvGdA0,104..wheel/__init__.py,sha256=D6jhH00eMzbgrXGAeOwVfD5i-lCAMMycuG1L0useDlo,59..wheel/__main__.py,sha256=NkMUnuTCGcOkgY0IBLgBCVC_BGGcWORx2K8jYGS12UE,455..wheel/__pycache__/__init__.cpython-312.pyc,,..wheel/__pycache__/__main__.cpython-312.pyc,,..wheel/__pycache__/_setuptools_logging.cpython-312.pyc,,..wheel/__pycache__/bdist_wheel.cpython-312.pyc,,..wheel/__pycache

C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\wheel-0.43.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.672346887071811
Encrypted:	false
SSDEEP:	3:RtEeX/QFM+vxP+tPCCfA5I:Rt1Qq2WBB3
MD5:	24019423EA7C0C2DF41C8272A3791E7B
SHA1:	AAE9ECFB44813B68CA525BA7FA0D988615399C86
SHA-256:	1196C6921EC87B83E865F450F08D19B8FF5592537F4EF719E83484E546ABE33E
SHA-512:	09AB8E4DAA9193CFDEE6CF98CCAE9DB0601F3DCD4944D07BF3AE6FA5BCB9DC0DCAFD369DE9A650A38D1B46C758DB0721EBA884446A8A5AD82BB745FD5DB5F9B1
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: flit 3.9.0.Root-Is-Purelib: true.Tag: py3-none-any.

C:\Users\user\AppData\Local\Temp\_MEI68642\setuptools\_vendor\wheel-0.43.0.dist-info\entry_points.txt

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.271713330022269
Encrypted:	false
SSDEEP:	3:1SSAnAYgh+MWTMhk6WjrAM5t5ln:1Jb9WTMhk9jUM5t5ln
MD5:	6180E17C30BAE5B30DB371793FCE0085
SHA1:	E3A12C421562A77D90A13D8539A3A0F4D3228359
SHA-256:	AD363505B90F1E1906326E10DC5D29233241CD6DA4331A06D68AE27DFBC6740D
SHA-512:	69EAE7B1E181D7BA1D3E2864D31E1320625A375E76D3B2FBF8856B3B6515936ACE3138D4D442CABDE7576FCFBCBB0DEED054D90B95CFA1C99829DB12A9031E26
Malicious:	false
Preview:	[console_scripts].wheel=wheel.cli:main..[distutils.commands].bdist_wheel=wheel.bdist_wheel:bdist_wheel..

C:\Users\user\AppData\Local\Temp\_MEI68642\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1504024
Entropy (8bit):	6.578874733366613
Encrypted:	false
SSDEEP:	24576:95WQyUuqjJVKMXijWRwtHHofIyEcL/2m75i5zxHWc9C08lY8ore60hH:9b0yVKMyjWR6nofQm7U59HWKYY8
MD5:	82EA0259009FF75BBA817BD8C15C7588
SHA1:	04C49687D8241B43AE61A6C59299255EF09A7B39
SHA-256:	8AA8B909A39FCC33D1EC2AD51EAC6714A318C6EFD04F963D21B75D8F64809AD6
SHA-512:	1F8B3343898462E385D25E1820A3D7D971D633933E482EA9FFC596E7E1F902F5657A9F2C104CF320EEEF34CCE814261304E2E1C063BE4C6A807ADC9B75F3E670
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W..W..W..^.P.[....U....Z...._.....S.....T..W........V.....V....<.V......V..RichW..........................PE..d......e.........." ...#..................................................................`.........................................Px...".............................../...........*..T............................(..@...............8............................text............................... ..`.rdata..............................@..@.data...PG.......>..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1137944
Entropy (8bit):	5.462221778372869
Encrypted:	false
SSDEEP:	12288:IFrEHdcM6hbZCjJ43w9hIpCQvb0QN8MdIEQ+U2BNNmD+99FfctZq:IFrEXcCjfk7bPNfv42BN6yzUtZq
MD5:	A1388676824CE6347D31D6C6A7A1D1B5
SHA1:	27DD45A5C9B7E61BB894F13193212C6D5668085B
SHA-256:	2480A78815F619A631210E577E733C9BAFECB7F608042E979423C5850EE390FF
SHA-512:	26EA1B33F14F08BB91027E0D35AC03F6203B4DFEEE602BB592C5292AB089B27FF6922DA2804A9E8A28E47D4351B32CF93445D894F00B4AD6E2D0C35C6C7F1D89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3m..3m..3m..:...5m......1m......>m......;m......0m......0m..x...1m..3m..cm......2m......2m....j.2m......2m..Rich3m..................PE..d...]..e.........." ...#.>..........`*.......................................p.......%....`.........................................p...X............P.......@.........../...`......P^..T............................]..@............P..p............................text....=.......>.................. ..`.rdata..\....P.......B..............@..@.data...X.... ......................@....pdata.......@......................@..@.rsrc........P......."..............@..@.reloc.......`.......,..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\win32\win32api.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	133632
Entropy (8bit):	5.874056262688227
Encrypted:	false
SSDEEP:	3072:LqnAWHjDQCj8ilDiv+zQQoMlRVFhLaNzvvA5sqQvml1RhkmrAte:L1ojDHjllCrMlRVgvY5sqQeRhkmrA
MD5:	E9D8AB0E7867F5E0D40BD474A5CA288C
SHA1:	E7BDF1664099C069CEEA18C2922A8DB049B4399A
SHA-256:	DF724F6ABD66A0549415ABAA3FDF490680E6E0CE07584E964B8BFD01E187B487
SHA-512:	49B17E11D02AE99583F835B8ECF526CF1CF9CEAB5D8FAC0FBFAF45411AC43F0594F93780AE7F6CB3EBBC169A91E81DD57A37C48A8CD5E2653962FFBDCF9879BB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V.........................................+..........................................Rich...........PE..d...!..g.........." .........................................................P............`......................................... ................0..\.......X............@..X....v..T............................;..8............0..........@....................text............................... ..`.rdata..2....0......................@..@.data...X(......."..................@....pdata..X...........................@..@.rsrc...\....0......................@..@.reloc..X....@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68642\yarl\_quoting_c.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\dipwo1iToJ.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	6.009362786457499
Encrypted:	false
SSDEEP:	1536:hA6zeuPEpCbl4DlaAw/AlDNTXBUhF5dYLprRD0WcpipPmlK:hA6jPEUbOwajI5dsOWcpipPe
MD5:	34BEE8FDC3AB28504FE568D886F846DA
SHA1:	C43EE4ADBE83571E17867DD277DD18CB42E1A6B7
SHA-256:	B4C2ADF4BD70A41C0CBB6D1296303AB66169CD52633F514164E755711F0648FB
SHA-512:	1C1013B0EF7D7BA3B01D7CA19A06F808234F3E51C1346AAC57641D2FCC03B4F4E129066D17135F91E56D3092E18FFF77740D4B5E323B5E670ADB8B3E69BDF36C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].......................................................................^.....................F.............Rich............................PE..d....@?g.........." .....................................................................`.........................................0X..d....X..x...............................,...0H...............................F..@............ ...............................text............................... ..`.rdata...M... ...N..................@..@.data....6...p.......`..............@....pdata...............l..............@..@.rsrc................x..............@..@.reloc..,............z..............@..B................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.996811520130873
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dipwo1iToJ.exe
File size:	18'082'384 bytes
MD5:	f40d72b602d086c3724048c5df9cc6f0
SHA1:	1cb21b5dda39cc0101e3a140701a670981e562be
SHA256:	d86949ec11d850f940b1ce58eb7a32f1381401fbb27137b6736345ce07ce4501
SHA512:	154001df20640a037c25d07444c495972924fdccda94b80cde2cada595abeb1b0d7659f3d228e97dc07e45af065b74f689c9bc00325e983f03c058c4d5aa3329
SSDEEP:	393216:69Yi54urLe63hucnW+eGQRn9josCBGcZvW7JTXN6u6K2:69Yi5Rr73hrnW+e5Rn9MVa96u6p
TLSH:	51073398E5D85CC1D4B2993FC9E68107DA77FC1117A0CE8B57B9A5A31EA71C04A3EF20
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d..

File Icon


Icon Hash:	4a464cd47461e179

Static PE Info

General

Entrypoint:	0x14000ce20
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6745D788 [Tue Nov 26 14:13:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F0BC8B14C4Ch
dec eax
add esp, 28h
jmp 00007F0BC8B1486Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F0BC8B15018h
test eax, eax
je 00007F0BC8B14A13h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F0BC8B149F7h
dec eax
cmp ecx, eax
je 00007F0BC8B14A06h
xor eax, eax
dec eax
cmpxchg dword ptr [0003570Ch], ecx
jne 00007F0BC8B149E0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F0BC8B149E9h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F0BC8B149F9h
mov byte ptr [000356F5h], 00000001h
call 00007F0BC8B14145h
call 00007F0BC8B15430h
test al, al
jne 00007F0BC8B149F6h
xor al, al
jmp 00007F0BC8B14A06h
call 00007F0BC8B21F4Fh
test al, al
jne 00007F0BC8B149FBh
xor ecx, ecx
call 00007F0BC8B15440h
jmp 00007F0BC8B149DCh
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [000356BCh], 00000000h
mov ebx, ecx
jne 00007F0BC8B14A59h
cmp ecx, 01h
jnbe 00007F0BC8B14A5Ch
call 00007F0BC8B14F8Eh
test eax, eax
je 00007F0BC8B14A1Ah
test ebx, ebx
jne 00007F0BC8B14A16h
dec eax
lea ecx, dword ptr [000356A6h]
call 00007F0BC8B21D42h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca34	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0xf41c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2238	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x57000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f70	0x2a000	b8c3814c5fb0b18492ad4ec2ffe0830a	False	0.5518740699404762	data	6.489205819736506	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a28	0x12c00	19a8c53a63a4b6a7cc35860ab09ee5e1	False	0.5242838541666667	data	5.750770753221784	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2238	0x2400	9cd1eac931545f28ab09329f8bfce843	False	0.4697265625	data	5.2645170849678795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0xf41c	0xf600	455788c285fcfdcb4008bc77e762818a	False	0.803099593495935	data	7.5549760623589695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x57000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x47208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.585820895522388
RT_ICON	0x480b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7360108303249098
RT_ICON	0x48958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.755057803468208
RT_ICON	0x48ec0	0x952c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9975384937676757
RT_ICON	0x523ec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.3887966804979253
RT_ICON	0x54994	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.49530956848030017
RT_ICON	0x55a3c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.7207446808510638
RT_GROUP_ICON	0x55ea4	0x68	data	0.7019230769230769
RT_MANIFEST	0x55f0c	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 17:45:00.377068043 CET	49731	80	192.168.2.4	163.5.242.208
Dec 6, 2024 17:45:00.496881008 CET	80	49731	163.5.242.208	192.168.2.4
Dec 6, 2024 17:45:00.496962070 CET	49731	80	192.168.2.4	163.5.242.208
Dec 6, 2024 17:45:00.497308016 CET	49731	80	192.168.2.4	163.5.242.208
Dec 6, 2024 17:45:00.618367910 CET	80	49731	163.5.242.208	192.168.2.4
Dec 6, 2024 17:45:01.855582952 CET	80	49731	163.5.242.208	192.168.2.4
Dec 6, 2024 17:45:01.856669903 CET	49731	80	192.168.2.4	163.5.242.208
Dec 6, 2024 17:45:01.858158112 CET	49732	80	192.168.2.4	163.5.242.208
Dec 6, 2024 17:45:01.976953983 CET	80	49731	163.5.242.208	192.168.2.4
Dec 6, 2024 17:45:01.977034092 CET	49731	80	192.168.2.4	163.5.242.208
Dec 6, 2024 17:45:01.977849007 CET	80	49732	163.5.242.208	192.168.2.4
Dec 6, 2024 17:45:01.977921009 CET	49732	80	192.168.2.4	163.5.242.208
Dec 6, 2024 17:45:01.978065014 CET	49732	80	192.168.2.4	163.5.242.208
Dec 6, 2024 17:45:02.098659039 CET	80	49732	163.5.242.208	192.168.2.4
Dec 6, 2024 17:45:03.312829018 CET	80	49732	163.5.242.208	192.168.2.4
Dec 6, 2024 17:45:03.313620090 CET	49732	80	192.168.2.4	163.5.242.208
Dec 6, 2024 17:45:03.435368061 CET	80	49732	163.5.242.208	192.168.2.4
Dec 6, 2024 17:45:03.435441017 CET	49732	80	192.168.2.4	163.5.242.208

HTTP Request Dependency Graph

163.5.242.208

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	163.5.242.208	80	792	C:\Users\user\Desktop\dipwo1iToJ.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 17:45:00.497308016 CET	165	OUT	GET /bababa31692_token.txt HTTP/1.1 Host: 163.5.242.208 User-Agent: python-requests/2.32.3 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive
Dec 6, 2024 17:45:01.855582952 CET	354	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 16:45:01 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Mon, 25 Nov 2024 18:05:43 GMT ETag: "2e-627c094cae5b4" Accept-Ranges: bytes Content-Length: 46 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 38 31 32 34 33 38 33 35 39 31 3a 41 41 45 66 46 72 68 37 4f 37 78 6a 77 61 72 79 47 31 41 43 63 44 4a 79 52 61 48 50 59 4b 48 6b 6a 4c 55 Data Ascii: 8124383591:AAEfFrh7O7xjwaryG1ACcDJyRaHPYKHkjLU

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	163.5.242.208	80	792	C:\Users\user\Desktop\dipwo1iToJ.exe

Timestamp	Bytes transferred	Direction	Data
Dec 6, 2024 17:45:01.978065014 CET	163	OUT	GET /7236785358_chat.txt HTTP/1.1 Host: 163.5.242.208 User-Agent: python-requests/2.32.3 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive
Dec 6, 2024 17:45:03.312829018 CET	318	IN	HTTP/1.1 200 OK Date: Fri, 06 Dec 2024 16:45:03 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Wed, 27 Nov 2024 07:02:56 GMT ETag: "b-627df8e248257" Accept-Ranges: bytes Content-Length: 11 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 2d 34 35 31 34 34 39 34 35 38 35 Data Ascii: -4514494585

Target ID:	0
Start time:	11:44:52
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\dipwo1iToJ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\dipwo1iToJ.exe"
Imagebase:	0x7ff6f8fc0000
File size:	18'082'384 bytes
MD5 hash:	F40D72B602D086C3724048C5DF9CC6F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:44:55
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\dipwo1iToJ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\dipwo1iToJ.exe"
Imagebase:	0x7ff6f8fc0000
File size:	18'082'384 bytes
MD5 hash:	F40D72B602D086C3724048C5DF9CC6F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	36

Executed Functions

Function 00007FF6F8FC8BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6F8FC9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6F8FC45E4,00000000,00007FF6F8FC1985), ref: 00007FF6F8FC9439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF6F8FC3F7F), ref: 00007FF6F8FC8C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF6F8FC3F7F), ref: 00007FF6F8FC8C46

Part of subcall function 00007FF6F8FDA4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FDA500

Part of subcall function 00007FF6F8FD878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD87F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF6F8FC3F7F), ref: 00007FF6F8FC8CD6
CreateProcessW.KERNELBASE ref: 00007FF6F8FC8D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6F8FC3F7F), ref: 00007FF6F8FC8D18

Part of subcall function 00007FF6F8FC2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6F8FC3706,?,00007FF6F8FC3804), ref: 00007FF6F8FC2C9E
Part of subcall function 00007FF6F8FC2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6F8FC3706,?,00007FF6F8FC3804), ref: 00007FF6F8FC2D63
Part of subcall function 00007FF6F8FC2C50: MessageBoxW.USER32 ref: 00007FF6F8FC2D99

RegisterClassW.USER32 ref: 00007FF6F8FC8D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6F8FC3F7F), ref: 00007FF6F8FC8D7B
CreateWindowExW.USER32 ref: 00007FF6F8FC8DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6F8FC3F7F), ref: 00007FF6F8FC8DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6F8FC3F7F), ref: 00007FF6F8FC8DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6F8FC3F7F), ref: 00007FF6F8FC8E05
PeekMessageW.USER32 ref: 00007FF6F8FC8E29
TranslateMessage.USER32 ref: 00007FF6F8FC8E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF6F8FC3F7F), ref: 00007FF6F8FC8E41
PeekMessageW.USER32 ref: 00007FF6F8FC8E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6F8FC3F7F), ref: 00007FF6F8FC8E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6F8FC3F7F), ref: 00007FF6F8FC8E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF6F8FC3F7F), ref: 00007FF6F8FC8E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6F8FC3F7F), ref: 00007FF6F8FC8EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6F8FC3F7F), ref: 00007FF6F8FC8EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF6F8FC3F7F), ref: 00007FF6F8FC8FF4
GetExitCodeProcess.KERNELBASE ref: 00007FF6F8FC9009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6F8FC3F7F), ref: 00007FF6F8FC9012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6F8FC3F7F), ref: 00007FF6F8FC901F

Strings

CreateProcessW, xrefs: 00007FF6F8FC8D27
Failed to create child process!, xrefs: 00007FF6F8FC8D20
PyInstaller Onefile Hidden Window, xrefs: 00007FF6F8FC8D85
PyInstallerOnefileHiddenWindow, xrefs: 00007FF6F8FC8D44

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: f84bfb7af08be18d5aa9c5442da81fab72959eb7f67b1ea49a117f63d9bcd627
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: DED19632B1AB428AE7109F74E8542AD3761FF85BA8F400175DA6D93AD5EF3CD244D708

Function 00007FF6F8FC1000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pkg, xrefs: 00007FF6F8FC39BE
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF6F8FC3EA6
pyi-contents-directory, xrefs: 00007FF6F8FC3B8D
Py_GIL_DISABLED, xrefs: 00007FF6F8FC3AF4
Failed to convert DLL search path!, xrefs: 00007FF6F8FC3DDC
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF6F8FC3971
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF6F8FC3C61
VCRUNTIME140.dll, xrefs: 00007FF6F8FC3DB1
_PYI_SPLASH_IPC, xrefs: 00007FF6F8FC3A23, 00007FF6F8FC3EF5
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF6F8FC3B32
Failed to remove temporary directory: %s, xrefs: 00007FF6F8FC3FC3
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF6F8FC3D12
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF6F8FC3D35
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF6F8FC3882, 00007FF6F8FC38AF
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6F8FC39DE
pyi-disable-windowed-traceback, xrefs: 00007FF6F8FC3BB2
MEI, xrefs: 00007FF6F8FC3933
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF6F8FC3A17, 00007FF6F8FC3A2F, 00007FF6F8FC3A9B
Failed to load splash screen resources!, xrefs: 00007FF6F8FC3E85
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF6F8FC3EBB
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF6F8FC3BE8
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF6F8FC3A0B, 00007FF6F8FC3CD4, 00007FF6F8FC3F6B
_PYI_ARCHIVE_FILE, xrefs: 00007FF6F8FC38D2, 00007FF6F8FC39FF
Failed to start splash screen!, xrefs: 00007FF6F8FC3ED4
Could not create temporary directory!, xrefs: 00007FF6F8FC3CBF
pyi-runtime-tmpdir, xrefs: 00007FF6F8FC3B68
pyi-python-flag, xrefs: 00007FF6F8FC3AD6
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF6F8FC3E0A

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: 230e5f2fbe18b706386c2e6c5de042c78cdf1bdf29ac743ce162c0a9040f007d
Instruction ID: 509ec870e1c6db84bc4fff078b1bd943882bb168dbe9525d59cf2b482609542b
Opcode Fuzzy Hash: 230e5f2fbe18b706386c2e6c5de042c78cdf1bdf29ac743ce162c0a9040f007d
Instruction Fuzzy Hash: F832A031A1E6825AFB15DB3194546B966A1AF467E0F8440B1DA7DC32C3FF2CE758E308

Function 00007FF6F8FE5C70 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6F8FE5CB5

Part of subcall function 00007FF6F8FE5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FE561C

Part of subcall function 00007FF6F8FDA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF6F8FE2D92,?,?,?,00007FF6F8FE2DCF,?,?,00000000,00007FF6F8FE3295,?,?,?,00007FF6F8FE31C7), ref: 00007FF6F8FDA9CE
Part of subcall function 00007FF6F8FDA9B8: GetLastError.KERNEL32(?,?,?,00007FF6F8FE2D92,?,?,?,00007FF6F8FE2DCF,?,?,00000000,00007FF6F8FE3295,?,?,?,00007FF6F8FE31C7), ref: 00007FF6F8FDA9D8

Part of subcall function 00007FF6F8FDA970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6F8FDA94F,?,?,?,?,?,00007FF6F8FDA83A), ref: 00007FF6F8FDA979
Part of subcall function 00007FF6F8FDA970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6F8FDA94F,?,?,?,?,?,00007FF6F8FDA83A), ref: 00007FF6F8FDA99E

_get_daylight.LIBCMT ref: 00007FF6F8FE5CA4

Part of subcall function 00007FF6F8FE5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FE567C

_get_daylight.LIBCMT ref: 00007FF6F8FE5F1A
_get_daylight.LIBCMT ref: 00007FF6F8FE5F2B
_get_daylight.LIBCMT ref: 00007FF6F8FE5F3C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F8FE617C), ref: 00007FF6F8FE5F63

Strings

Eastern Summer Time, xrefs: 00007FF6F8FE6021
Eastern Standard Time, xrefs: 00007FF6F8FE6009

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction ID: ab34d600d7f3d3b856a08dc34da618d4ca083411129ba88941a5ad10176a95a7
Opcode Fuzzy Hash: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction Fuzzy Hash: DED1E132A0A2524AE720AF35DC611B96351EF887E4F448176EA2DC76D5FF3CE441E748

Function 00007FF6F8FE69D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6F8FE6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FE6749
Part of subcall function 00007FF6F8FE6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FE67C7
Part of subcall function 00007FF6F8FE6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FE6818

CreateFileW.KERNELBASE ref: 00007FF6F8FE6ADA
CreateFileW.KERNEL32 ref: 00007FF6F8FE6B2A
GetLastError.KERNEL32 ref: 00007FF6F8FE6B5A
GetFileType.KERNELBASE ref: 00007FF6F8FE6B6F
GetLastError.KERNEL32 ref: 00007FF6F8FE6B79
CloseHandle.KERNEL32 ref: 00007FF6F8FE6BAC
CloseHandle.KERNEL32 ref: 00007FF6F8FE6D0F
CreateFileW.KERNEL32 ref: 00007FF6F8FE6D44
GetLastError.KERNEL32 ref: 00007FF6F8FE6D53

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: 9f6c7a0bee11ecb65030a9e4611b053410df1e0c2c25da29b4206262150eef95
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: B7C1BF36B29A468AEB10CF79C4902AC3761FB49BA8B415275DB2E977D4EF3CE051D304

Function 00007FF6F8FC83B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF6F8FC8B09,00007FF6F8FC3FA5), ref: 00007FF6F8FC841B
RemoveDirectoryW.KERNEL32(?,00007FF6F8FC8B09,00007FF6F8FC3FA5), ref: 00007FF6F8FC849E
DeleteFileW.KERNELBASE(?,00007FF6F8FC8B09,00007FF6F8FC3FA5), ref: 00007FF6F8FC84BD
FindNextFileW.KERNELBASE(?,00007FF6F8FC8B09,00007FF6F8FC3FA5), ref: 00007FF6F8FC84CB
FindClose.KERNELBASE(?,00007FF6F8FC8B09,00007FF6F8FC3FA5), ref: 00007FF6F8FC84DC
RemoveDirectoryW.KERNELBASE(?,00007FF6F8FC8B09,00007FF6F8FC3FA5), ref: 00007FF6F8FC84E5

Strings

%s\*, xrefs: 00007FF6F8FC83E2

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction ID: 2246431b1d00d3c2c192d05b98fbb2764188c922be9ff84a9bbae162918aadb7
Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
Instruction Fuzzy Hash: 01416C31A2E94289EB209B34E4441B96360FB967F0F800272D5ADC36C5FF3CD74AA708

Function 00007FF6F8FE5EEC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6F8FE5F1A

Part of subcall function 00007FF6F8FE5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FE567C

_get_daylight.LIBCMT ref: 00007FF6F8FE5F2B

Part of subcall function 00007FF6F8FE5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FE561C

_get_daylight.LIBCMT ref: 00007FF6F8FE5F3C

Part of subcall function 00007FF6F8FE5638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FE564C

Part of subcall function 00007FF6F8FDA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF6F8FE2D92,?,?,?,00007FF6F8FE2DCF,?,?,00000000,00007FF6F8FE3295,?,?,?,00007FF6F8FE31C7), ref: 00007FF6F8FDA9CE
Part of subcall function 00007FF6F8FDA9B8: GetLastError.KERNEL32(?,?,?,00007FF6F8FE2D92,?,?,?,00007FF6F8FE2DCF,?,?,00000000,00007FF6F8FE3295,?,?,?,00007FF6F8FE31C7), ref: 00007FF6F8FDA9D8

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6F8FE617C), ref: 00007FF6F8FE5F63

Strings

Eastern Summer Time, xrefs: 00007FF6F8FE6021
Eastern Standard Time, xrefs: 00007FF6F8FE6009

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction ID: 603a0eb5b895c7d41e63285153edc7958d26fafe8f162db71c668345f9c6873e
Opcode Fuzzy Hash: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction Fuzzy Hash: 2151B132A097428AE720DF31DC911A96361BB487E4F405179EA2DC76E6FF3CE400D748

Function 00007FF6F8FC92F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF6F8FC9323
FindClose.KERNELBASE ref: 00007FF6F8FC9332

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: 93c002a92531e59296031fbd0663229ac20f7c84b406f09ac9979848a2617be2
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: E7F0C832A1A7418AF7608B70B4887667350AB883B4F440335DA7D436D4EF3CD249DB04

Function 00007FF6F8FE0938 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 2d471da97334de2acf0262392bad6ca7d41a72817533bf8b70dbf69db73f0db4
Instruction ID: 3d01e03b80c88635aeb21adfde27026b3fc49874b38980234a78e821bf251b3d
Opcode Fuzzy Hash: 2d471da97334de2acf0262392bad6ca7d41a72817533bf8b70dbf69db73f0db4
Instruction Fuzzy Hash: A1027A32A0B64648EF65AF35A8412792691BF85BF0F454674DE7DC73E6FE3CA401A308

Function 00007FF6F8FC1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6F8FC7F80: _fread_nolock.LIBCMT ref: 00007FF6F8FC802A

_fread_nolock.LIBCMT ref: 00007FF6F8FC1A1B

Part of subcall function 00007FF6F8FC2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6F8FC1B6A), ref: 00007FF6F8FC295E

Strings

Failed to seek to cookie position!, xrefs: 00007FF6F8FC19EE
Could not allocate memory for archive structure!, xrefs: 00007FF6F8FC1A61
Error on file., xrefs: 00007FF6F8FC1B8D
calloc, xrefs: 00007FF6F8FC1A68
fseek, xrefs: 00007FF6F8FC19F5
Could not allocate buffer for TOC!, xrefs: 00007FF6F8FC1B1B
MEI, xrefs: 00007FF6F8FC1991
fread, xrefs: 00007FF6F8FC1A32, 00007FF6F8FC1B5C
Could not read full TOC!, xrefs: 00007FF6F8FC1B55
Failed to read cookie!, xrefs: 00007FF6F8FC1A2B
malloc, xrefs: 00007FF6F8FC1B22

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 6d43d2f5094c02a69a50d2278f5fdcc42b4033f4591644595bdd37c4696fd258
Instruction ID: 201d39f4a7b75f6d45d5eadb890b04ef03c7ab24ec92ce8dae55b1e9ea57c789
Opcode Fuzzy Hash: 6d43d2f5094c02a69a50d2278f5fdcc42b4033f4591644595bdd37c4696fd258
Instruction Fuzzy Hash: 04819071E0A68289EB20DB34D0406F92391EF857D4F4044B1EAADC77D6FE3CE695A748

Function 00007FF6F8FC1600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fwrite, xrefs: 00007FF6F8FC17D1
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6F8FC16DA
Failed to create symbolic link %s!, xrefs: 00007FF6F8FC1622
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6F8FC17CA
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6F8FC16A2
fseek, xrefs: 00007FF6F8FC16E1
Failed to extract %s: failed to open target file!, xrefs: 00007FF6F8FC165C
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6F8FC17DF
fopen, xrefs: 00007FF6F8FC1663
fread, xrefs: 00007FF6F8FC17E6
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF6F8FC1742
malloc, xrefs: 00007FF6F8FC1749

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: bdb202e1f9bc7177cec46868f1cc56065c6c33e9ec8a8b0f81691881613973e0
Instruction ID: fa3657ef2c2d10aecfc3a0510d6f4eae1468188f2fc8ae0e85d43cd294744cd2
Opcode Fuzzy Hash: bdb202e1f9bc7177cec46868f1cc56065c6c33e9ec8a8b0f81691881613973e0
Instruction Fuzzy Hash: E2519D31E0A6438AEB109B3194401A96361BF427F4F9445B1EE6C87BD2FE3CE795B708

Function 00007FF6F8FC8850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF6F8FC3CBB), ref: 00007FF6F8FC88F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF6F8FC3CBB), ref: 00007FF6F8FC88FA
CreateDirectoryW.KERNELBASE(?,00000000,00007FF6F8FC3CBB), ref: 00007FF6F8FC893C

Part of subcall function 00007FF6F8FC8A20: GetEnvironmentVariableW.KERNEL32(00007FF6F8FC388E), ref: 00007FF6F8FC8A57
Part of subcall function 00007FF6F8FC8A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6F8FC8A79

Part of subcall function 00007FF6F8FD82A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD82C1

Part of subcall function 00007FF6F8FC2810: MessageBoxW.USER32 ref: 00007FF6F8FC28EA

Strings

TMP, xrefs: 00007FF6F8FC888C, 00007FF6F8FC8993
LOADER: failed to set the TMP environment variable., xrefs: 00007FF6F8FC88CC
TMP, xrefs: 00007FF6F8FC88B2
_MEI%d, xrefs: 00007FF6F8FC8902
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF6F8FC896E

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction ID: 0c81f039fee35c97b5ce5327fec95c1af3702f2d613ca4caad828772557920f1
Opcode Fuzzy Hash: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction Fuzzy Hash: 02418132B2B64248EB50AB36A8551B91391AF86BE0F504171DE2DC7BD7FE3CD705A308

Function 00007FF6F8FC1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6F8FC12BA
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF6F8FC141E
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF6F8FC1276
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6F8FC12EF
1.3.1, xrefs: 00007FF6F8FC1249
malloc, xrefs: 00007FF6F8FC12C1, 00007FF6F8FC12F6

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 4135646233a09d1bafe58e36eb504b74d27aad0b28d423605d6bf35aaf273347
Instruction ID: 90955294b17f75dc6a400cc97060b5a7f1c4f4da73a002a99fe5dca55d4704bc
Opcode Fuzzy Hash: 4135646233a09d1bafe58e36eb504b74d27aad0b28d423605d6bf35aaf273347
Instruction Fuzzy Hash: 7A51C732A0A64289EB609B31A4403BA6291FF867E4F844171EE6DC77D6FE3CD751E704

Function 00007FF6F8FDED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF6F8FDF11A,?,?,-00000018,00007FF6F8FDADC3,?,?,?,00007FF6F8FDACBA,?,?,?,00007FF6F8FD5FAE), ref: 00007FF6F8FDEEFC
GetProcAddress.KERNEL32(?,?,?,00007FF6F8FDF11A,?,?,-00000018,00007FF6F8FDADC3,?,?,?,00007FF6F8FDACBA,?,?,?,00007FF6F8FD5FAE), ref: 00007FF6F8FDEF08

Strings

api-ms-, xrefs: 00007FF6F8FDEE46
ext-ms-, xrefs: 00007FF6F8FDEE59

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: d7f1694c6d638a4afcc6c521ab876df45abf2336f511741464144b088f117c33
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: 9641E332B1A60249EB16CB3698046752292BF49BF0F894575DE2ED73C4FF3CE505A318

Function 00007FF6F8FC36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF6F8FC3804), ref: 00007FF6F8FC36E1
GetLastError.KERNEL32(?,00007FF6F8FC3804), ref: 00007FF6F8FC36EB

Part of subcall function 00007FF6F8FC2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6F8FC3706,?,00007FF6F8FC3804), ref: 00007FF6F8FC2C9E
Part of subcall function 00007FF6F8FC2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6F8FC3706,?,00007FF6F8FC3804), ref: 00007FF6F8FC2D63
Part of subcall function 00007FF6F8FC2C50: MessageBoxW.USER32 ref: 00007FF6F8FC2D99

Strings

\\?\, xrefs: 00007FF6F8FC375A
Failed to convert executable path to UTF-8., xrefs: 00007FF6F8FC3790
Failed to obtain executable path., xrefs: 00007FF6F8FC36F3
Failed to resolve full path to executable %ls., xrefs: 00007FF6F8FC3739
GetModuleFileNameW, xrefs: 00007FF6F8FC36FA

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: 14b9bf6fde7ff3248b9e29ce45d2debfce601e70601bb07f1b1718664263a4a4
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: E2215E71B1E64289FB219731E8053B62251AF893E8F804172E67DC36D6FE2CE705E708

Function 00007FF6F8FDBACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FDBEF9

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 71330427dde7a49afb2283bb308656113f98e0c66a4f806cd66398b14c9322eb
Instruction ID: 62d1667df87871b71bff5abd6cd2fb54b483799c7e028086f56d434a245fc4d1
Opcode Fuzzy Hash: 71330427dde7a49afb2283bb308656113f98e0c66a4f806cd66398b14c9322eb
Instruction Fuzzy Hash: 0CC1E43390A68689E7219F2594402BD7B62FB81BE0F954171EB6E837E1EE7CE4459308

Function 00007FF6F8FC8760 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6F8FC8780
OpenProcessToken.ADVAPI32 ref: 00007FF6F8FC8793
GetTokenInformation.KERNELBASE ref: 00007FF6F8FC87B8
GetLastError.KERNEL32 ref: 00007FF6F8FC87C2
GetTokenInformation.KERNELBASE ref: 00007FF6F8FC8802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6F8FC881E
CloseHandle.KERNEL32 ref: 00007FF6F8FC8836

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction ID: 2295f1732c83f882dabbe0616ba183f9d47697b68ea1bbbd8ad5154c4fb2bd27
Opcode Fuzzy Hash: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction Fuzzy Hash: 53217331B1D64246EB109B65F45026AA3A1FF857F0F500275E77C83AE9EE6CD6449704

Function 00007FF6F8FC90E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6F8FC8760: GetCurrentProcess.KERNEL32 ref: 00007FF6F8FC8780
Part of subcall function 00007FF6F8FC8760: OpenProcessToken.ADVAPI32 ref: 00007FF6F8FC8793
Part of subcall function 00007FF6F8FC8760: GetTokenInformation.KERNELBASE ref: 00007FF6F8FC87B8
Part of subcall function 00007FF6F8FC8760: GetLastError.KERNEL32 ref: 00007FF6F8FC87C2
Part of subcall function 00007FF6F8FC8760: GetTokenInformation.KERNELBASE ref: 00007FF6F8FC8802
Part of subcall function 00007FF6F8FC8760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6F8FC881E
Part of subcall function 00007FF6F8FC8760: CloseHandle.KERNEL32 ref: 00007FF6F8FC8836

LocalFree.KERNEL32(?,00007FF6F8FC3C55), ref: 00007FF6F8FC916C
LocalFree.KERNEL32(?,00007FF6F8FC3C55), ref: 00007FF6F8FC9175

Strings

D:(A;;FA;;;%s), xrefs: 00007FF6F8FC9157
S-1-3-4, xrefs: 00007FF6F8FC9121
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF6F8FC9142
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF6F8FC9183

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction ID: 2cc636904f5a60e6ced0e43030feeac9b7892a47cb001317f0ff8f62fc3c0d64
Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction Fuzzy Hash: 39216131A1A74289E710AB30E4192EA6351EF857E0F440475EA6DD3BD7FF3CD605A744

Function 00007FF6F8FC7E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00000000,?,00007FF6F8FC352C,?,00000000,00007FF6F8FC3F23), ref: 00007FF6F8FC7F22

Strings

\, xrefs: 00007FF6F8FC7E87
%.*s, xrefs: 00007FF6F8FC7EDB
%s%c, xrefs: 00007FF6F8FC7E94

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction ID: cb16104eb0c468203a475566dd9d4f8814c2ec160aadd27e12a46075c2820bc9
Opcode Fuzzy Hash: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
Instruction Fuzzy Hash: DE31E331B1AAC549EB219B35A8503EA6354EF85BF0F400270EA7D83BCAEE2CD305D704

Function 00007FF6F8FDCFD0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F8FDCFBB), ref: 00007FF6F8FDD0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F8FDCFBB), ref: 00007FF6F8FDD177

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: 9f3c3f3c20c938cee16a9ba7890618f6db03e026b2f685556f3947eb65f19ba8
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: 3491D233E1A6528AF750AF7598402BD2BA2EB44BE8F145179DF2E936C4EE3CD4429704

Function 00007FF6F8FDF9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6F8FDFAEC
_get_daylight.LIBCMT ref: 00007FF6F8FDFAFD
_get_daylight.LIBCMT ref: 00007FF6F8FDFB0E
_isindst.LIBCMT ref: 00007FF6F8FDFBD9

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: 0452490a201b0b7d6415b073c18cfd6c29de8b34a671e2355f957307de89715e
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: D651D573F0A1128EEB14CF349951ABC2762EB543B8F500275DE2ED3AE5EF38A4029704

Function 00007FF6F8FD57EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF6F8FD581F
GetFileInformationByHandle.KERNELBASE ref: 00007FF6F8FD5881
GetLastError.KERNEL32 ref: 00007FF6F8FD5912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F8FD5724), ref: 00007FF6F8FD595E

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction ID: 4a9dfae7a86ddb3c772f6e37722f7eecc17f3c928f2f7d8875bebebc7da61068
Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction Fuzzy Hash: 71518C33E096418EFB10DF71D8503BD23A2AB48BA8F148475DF69976C9EF38D441A709

Function 00007FF6F8FD5698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD56C5
CreateFileW.KERNELBASE ref: 00007FF6F8FD5704
CloseHandle.KERNEL32 ref: 00007FF6F8FD5739

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 24238bc47b860f74abc13910c6a37bc7991964e3dbe0c30fb6d15975fbdc4001
Instruction ID: 991721680511ecb1656f4518aba9896e3bf5277f2c145b0c14d0bd90714c52bb
Opcode Fuzzy Hash: 24238bc47b860f74abc13910c6a37bc7991964e3dbe0c30fb6d15975fbdc4001
Instruction Fuzzy Hash: 4E41A133D197828BE7509B3099103697361FB987B4F108374EBAC87AD2EF6CA5E09704

Function 00007FF6F8FCCCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F8FCCE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6F8FCCE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6F8FCCCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF6F8FCCD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6F8FCCD91

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: b26e5a556e3809c065a2acad19c70920da886ff9f067c750cc05a7b36ba9096e
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: BB315A31E0A20349FB24AB7498113B91792AF423E4F4404B8DA7DCB2D7FE2CA705E218

Function 00007FF6F8FD9AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF6F8FD9A9C), ref: 00007FF6F8FD9AB1
TerminateProcess.KERNEL32(?,?,?,00007FF6F8FD9A9C), ref: 00007FF6F8FD9ABC
ExitProcess.KERNEL32 ref: 00007FF6F8FD9ACB

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction ID: 4e88987f7a9b6c1d39e817599524bc1fbb03f724a8cede60e9ebe8a2d2220ea7
Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction Fuzzy Hash: 7CD06736B0A6464AEB142BB0589907812926F487A1B5414B8D92B973D3FD2CA4496308

Function 00007FF6F8FD01AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD01F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD02E7

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: b32426c6bc6de5d9141ff66928b5cc47daee5976ca798bbaac20b4223c6133b2
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: 8951B273A0B2428EEF289A36940067E6692ABC4BF4F144774DF7D877C5EE3CD401A618

Function 00007FF6F8FDC1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF6F8FDC33D), ref: 00007FF6F8FDC1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF6F8FDC33D), ref: 00007FF6F8FDC1FA

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: 76b3696af12265a9e53946c8514ab6f34c674a3c6104329502e1a04fb32bad84
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: 50112372718A8289DB108B35E8040696362BB41BF0F540371EF7D8B7E8EF3CD0029704

Function 00007FF6F8FD5994 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F8FD58A9), ref: 00007FF6F8FD59C7
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6F8FD58A9), ref: 00007FF6F8FD59DD

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 3eb82881f56b5e10c0b4ae1229c4961d4f4fc58e8f6ff53d00dfea58f30bf4d5
Instruction ID: 8c82b1ac318242098e3635e7e11cb8313ee08f36eaf971d36c76a6c0b019cc3b
Opcode Fuzzy Hash: 3eb82881f56b5e10c0b4ae1229c4961d4f4fc58e8f6ff53d00dfea58f30bf4d5
Instruction Fuzzy Hash: 1811913361D6128AEB548B20A84113AB7A1FB887B1F500275FBADC29D8FF3CD014EB04

Function 00007FF6F8FDA9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF6F8FE2D92,?,?,?,00007FF6F8FE2DCF,?,?,00000000,00007FF6F8FE3295,?,?,?,00007FF6F8FE31C7), ref: 00007FF6F8FDA9CE
GetLastError.KERNEL32(?,?,?,00007FF6F8FE2D92,?,?,?,00007FF6F8FE2DCF,?,?,00000000,00007FF6F8FE3295,?,?,?,00007FF6F8FE31C7), ref: 00007FF6F8FDA9D8

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction ID: feb707cb35af371423aa557f727a3a656d87bd941d4a19c90ade3fc7ceb238a3
Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction Fuzzy Hash: C4E08632F0B2035AFF055BB2984613812526F947E0F4405B4CA3DD32E1FE2C6985A318

Function 00007FF6F8FDABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF6F8FDAA45,?,?,00000000,00007FF6F8FDAAFA), ref: 00007FF6F8FDAC36
GetLastError.KERNEL32(?,?,?,00007FF6F8FDAA45,?,?,00000000,00007FF6F8FDAAFA), ref: 00007FF6F8FDAC40

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 6940588f9b1506e6b3a63ef22404735fab446ce3b210f328419031e0a473ef97
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: B621A432B2E6424AEBA0577194512791693AF847F0F0846B9DB3EC73D5EE6CE446A30C

Function 00007FF6F8FDBF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FDBF44

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: 23c06b043e534e969ff61cdab74d526035c4c38e4fb94bdf7f79686af9665a1b
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: 1341C13390A2018BEB349B75A54127973A2EB56BE0F500171DBAAC36D1EF2DE403DB59

Function 00007FF6F8FC7F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF6F8FC802A

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 9308b687cf4eea5a9f9c2c4d0625b2a01abdca647666c74d71e3793018cb6a8d
Instruction ID: 2ff879456e5647b595fbdbf94edb33921640710527a8594da5edc1ba7c8b38f6
Opcode Fuzzy Hash: 9308b687cf4eea5a9f9c2c4d0625b2a01abdca647666c74d71e3793018cb6a8d
Instruction Fuzzy Hash: 0421E631B6A65149FB109A3265003BA9741FF46BE4F8C4070EE2D8B7C7EE3DE245D208

Function 00007FF6F8FDB9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FDBA32

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
Instruction ID: b569d15b094e7544a48c6e42eddba262bee4739ac25a37a5097de7caf09e3692
Opcode Fuzzy Hash: e965e93cbe1d72adb8351a0dc15ff4730447cd31f91a428760958f4d16ec249d
Instruction Fuzzy Hash: 3831C133A1A64289E7116F75884137C2A51AF40BF4F8205B5EB7D833E2EF7CE441A729

Function 00007FF6F8FD99D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6F8FD99FF

Part of subcall function 00007FF6F8FD9AF8: GetModuleHandleExW.KERNEL32 ref: 00007FF6F8FD9B1D
Part of subcall function 00007FF6F8FD9AF8: GetProcAddress.KERNEL32 ref: 00007FF6F8FD9B33
Part of subcall function 00007FF6F8FD9AF8: FreeLibrary.KERNEL32 ref: 00007FF6F8FD9B5A

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction ID: 33355fda9a75a28de86f42604dea73f465a3aa973e7bb9aa410c3688218d8da7
Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction Fuzzy Hash: 2E216B33B066828EEB648FB4C4882AC33A2EB04768F544675D72D87AD5EF78D584D744

Function 00007FF6F8FD6004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD5F69

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 6e6d2d52d951ca21c390a2b54fcc0eefaa965e837d5fd0a77bb1238cd1e0aeae
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: 1711A433A0E64149EB609F61980117DA366AF49BE0F440571EF5CDBAD6EF3DD400A708

Function 00007FF6F8FE63C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FE63E7

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: fb1ca54aa8b9cb68321df7d50206c6788fb30862cc3153b084bee94f122acbc5
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: CC219272619A468ADB618F28D44037976A1FB84BE4F144234E6ADC76D9EF3CD410DB04

Function 00007FF6F8FD042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD0480

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: d772a13325d8719168274032a12d51493332f3bfd5e7c16f5bc9756e23d95137
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: E7018E32A0974148EB049B629901469A692BF96FF0B0846B1EF7C97BD6EE3CE4116308

Function 00007FF6F8FD7F6C Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD7FAA

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
Instruction ID: ddd158e47d95c626c74babbdfb660c6737dfee1685ae0fbbab11495d6b9ad090
Opcode Fuzzy Hash: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
Instruction Fuzzy Hash: 19018B32A1E28748FB605A35690117D5692AF447F0F0445B9EB7CCB6DAFF2CA440A249

Function 00007FF6F8FD82A8 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD82C1

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction ID: f76601aa3ba9f0ffc60f59e921d606794152d6d0779beeacf0ee3d1840f197de
Opcode Fuzzy Hash: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction Fuzzy Hash: 76E08CB2F2A6078EF7103AB5448217922124F553E2F4448B0EB29C73D3FE2C6848723D

Function 00007FF6F8FDD66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF6F8FD0D00,?,?,?,00007FF6F8FD236A,?,?,?,?,?,00007FF6F8FD3B59), ref: 00007FF6F8FDD6AA

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: 4f581a4a81071ea327d2e8b4aa60b1eaf2df503a2f28a7c71ee77aab974d61ce
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: 5CF03A22B0B2024EFF657BB1581167812924F547F0F0906B0EA3EC72D5FE2CA440A658

Non-executed Functions

Function 00007FF6F8FC76B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6F8FC76C7
GetLastError.KERNEL32 ref: 00007FF6F8FC76D9
GetProcAddress.KERNEL32 ref: 00007FF6F8FC7715
GetLastError.KERNEL32 ref: 00007FF6F8FC7727
GetProcAddress.KERNEL32 ref: 00007FF6F8FC7740
GetLastError.KERNEL32 ref: 00007FF6F8FC7752
GetProcAddress.KERNEL32 ref: 00007FF6F8FC776B
GetLastError.KERNEL32 ref: 00007FF6F8FC777D
GetProcAddress.KERNEL32 ref: 00007FF6F8FC7799
GetLastError.KERNEL32 ref: 00007FF6F8FC77AB
GetProcAddress.KERNEL32 ref: 00007FF6F8FC77C7
GetLastError.KERNEL32 ref: 00007FF6F8FC77D9
GetProcAddress.KERNEL32 ref: 00007FF6F8FC77F5
GetLastError.KERNEL32 ref: 00007FF6F8FC7807
GetProcAddress.KERNEL32 ref: 00007FF6F8FC7823
GetLastError.KERNEL32 ref: 00007FF6F8FC7835
GetProcAddress.KERNEL32 ref: 00007FF6F8FC7851
GetLastError.KERNEL32 ref: 00007FF6F8FC7863

Strings

Tcl_CreateThread, xrefs: 00007FF6F8FC7819, 00007FF6F8FC783B
Tcl_JoinThread, xrefs: 00007FF6F8FC7875, 00007FF6F8FC7897
Tcl_GetObjResult, xrefs: 00007FF6F8FC7B55, 00007FF6F8FC7B77
Tcl_EvalObjv, xrefs: 00007FF6F8FC7BDF, 00007FF6F8FC7C01
Tcl_FindExecutable, xrefs: 00007FF6F8FC7736, 00007FF6F8FC7758
Tcl_CreateInterp, xrefs: 00007FF6F8FC770B, 00007FF6F8FC772D
Tcl_Init, xrefs: 00007FF6F8FC76C0, 00007FF6F8FC76DF
Failed to get address for %hs, xrefs: 00007FF6F8FC76E8
Tcl_ConditionFinalize, xrefs: 00007FF6F8FC792D, 00007FF6F8FC794F
Tk_GetNumMainWindows, xrefs: 00007FF6F8FC7C97, 00007FF6F8FC7CB9
Tcl_FinalizeThread, xrefs: 00007FF6F8FC77BD, 00007FF6F8FC77DF
Tcl_Free, xrefs: 00007FF6F8FC7C3B, 00007FF6F8FC7C5D
Tcl_SetVar2Ex, xrefs: 00007FF6F8FC7B27, 00007FF6F8FC7B49
Tcl_NewByteArrayObj, xrefs: 00007FF6F8FC7AF9, 00007FF6F8FC7B1B
Tcl_MutexLock, xrefs: 00007FF6F8FC78A3, 00007FF6F8FC78C5
Tcl_Alloc, xrefs: 00007FF6F8FC7C0D, 00007FF6F8FC7C2F
Tcl_ConditionNotify, xrefs: 00007FF6F8FC795B, 00007FF6F8FC797D
Tcl_DeleteInterp, xrefs: 00007FF6F8FC77EB, 00007FF6F8FC780D
Tcl_ConditionWait, xrefs: 00007FF6F8FC7989, 00007FF6F8FC79AB
Tcl_SetVar2, xrefs: 00007FF6F8FC7A41, 00007FF6F8FC7A63
Tcl_GetString, xrefs: 00007FF6F8FC7A9D, 00007FF6F8FC7ABF
Tcl_MutexUnlock, xrefs: 00007FF6F8FC78D1, 00007FF6F8FC78F3
Tcl_NewStringObj, xrefs: 00007FF6F8FC7ACB, 00007FF6F8FC7AED
Tcl_MutexFinalize, xrefs: 00007FF6F8FC78FF, 00007FF6F8FC7921
Tcl_Finalize, xrefs: 00007FF6F8FC778F, 00007FF6F8FC77B1
Tcl_GetCurrentThread, xrefs: 00007FF6F8FC7847, 00007FF6F8FC7869
Tcl_ThreadQueueEvent, xrefs: 00007FF6F8FC79B7, 00007FF6F8FC79D9
Tcl_EvalFile, xrefs: 00007FF6F8FC7B83, 00007FF6F8FC7BA5
GetProcAddress, xrefs: 00007FF6F8FC76EF
Tcl_EvalEx, xrefs: 00007FF6F8FC7BB1, 00007FF6F8FC7BD3
Tcl_GetVar2, xrefs: 00007FF6F8FC7A13, 00007FF6F8FC7A35
Tcl_DoOneEvent, xrefs: 00007FF6F8FC7761, 00007FF6F8FC7783
Tk_Init, xrefs: 00007FF6F8FC7C69, 00007FF6F8FC7C8B
Tcl_CreateObjCommand, xrefs: 00007FF6F8FC7A6F, 00007FF6F8FC7A91
Tcl_ThreadAlert, xrefs: 00007FF6F8FC79E5, 00007FF6F8FC7A07

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: c339a7b503fd7f3466c9e57c5bb30ce09d51ea53179d8c0090c89470b6e321a1
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: 2102C330A0FB0789FB55AF79A8105B422A1AF057F5B8010B5D53E976E5FF3CB648A318

Function 00007FF6F8FE411C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6F8FE416A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FE47D6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FE494C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FE4C0A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FE4E2A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FE5067
memcpy_s.LIBCPMT ref: 00007FF6F8FE5142
memcpy_s.LIBCPMT ref: 00007FF6F8FE51ED
memcpy_s.LIBCPMT ref: 00007FF6F8FE52BC

Strings

1#IND, xrefs: 00007FF6F8FE4257
1#SNAN, xrefs: 00007FF6F8FE427A
1#INF, xrefs: 00007FF6F8FE4293
1#QNAN, xrefs: 00007FF6F8FE4283

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction ID: 5131fe55cf08a6993c49ab25a08779146551f5de102a7e2ad847fa4fd286a361
Opcode Fuzzy Hash: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction Fuzzy Hash: 89B2C272A1A6828FE7248E74D8407FD77A1FB643D8F501179DA2997AC4EF38A900DB44

Function 00007FF6F8FCAD1D Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid code lengths set, xrefs: 00007FF6F8FCAE9D
invalid literal/lengths set, xrefs: 00007FF6F8FCB1A3
invalid bit length repeat, xrefs: 00007FF6F8FCB109
invalid distance too far back, xrefs: 00007FF6F8FCB6E0
invalid literal/length code, xrefs: 00007FF6F8FCB452
invalid distances set, xrefs: 00007FF6F8FCB210
too many length or distance symbols, xrefs: 00007FF6F8FCAEB6
invalid distance code, xrefs: 00007FF6F8FCB624
invalid code -- missing end-of-block, xrefs: 00007FF6F8FCB136

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction ID: 5ae5b863b7b8b674c374495782c3cc1c24fd369333190efd2eee729e71c5ec08
Opcode Fuzzy Hash: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction Fuzzy Hash: A1523572A192A68BD7948F24D458B7E3BADFB45390F414138E65A837C1EF3CEA44DB04

Function 00007FF6F8FCD19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6F8FCD1B8
RtlCaptureContext.KERNEL32 ref: 00007FF6F8FCD1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6F8FCD1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF6F8FCD240
IsDebuggerPresent.KERNEL32 ref: 00007FF6F8FCD294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6F8FCD2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6F8FCD2BC

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: b83e341319e6fc5828cbd1d6a91cb499e33ee2471da968f6ca93d51efea6c276
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: 4C315272709B8189EB609F60E8403EE7360FB85754F444039DA5D97B95EF3CD648D714

Function 00007FF6F8FDA684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6F8FDA6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6F8FDA715
RtlVirtualUnwind.KERNEL32 ref: 00007FF6F8FDA750
IsDebuggerPresent.KERNEL32 ref: 00007FF6F8FDA789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6F8FDA793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6F8FDA79E

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: 2ff0af9f776c5e1e4d74639dddb300e999eb213eb88d929bd1e5768b820ae3f0
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: 39317432619B8189D760CF35E8402AE73A4FB897A4F540135EA9D87B95EF3CC545CB04

Function 00007FF6F8FE18E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FE1930
FindFirstFileExW.KERNEL32 ref: 00007FF6F8FE1A3A

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction ID: a0049f307e9c142f15703f1762eccca086aa1220a2bec0de9edf7d39ea695bc0
Opcode Fuzzy Hash: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction Fuzzy Hash: 49B1C432F1A68649EB619B3694001B963A5EB44BF5F444171EA6EC7BC5FE3CE481E308

Function 00007FF6F8FCD080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6F8FCD0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF6F8FCD0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF6F8FCD0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF6F8FCD0D6

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: 5827fbda55b5fd23a397198d9bdab2bbbfd4673e8c0f0e1e6d21787113893ac1
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: 3E114C32B15B068AEB00CB70E8442A933A4FB597A8F440E31DA2D877A4EF3CD1588344

Function 00007FF6F8FE3C80 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6F8FE3CE6
memcpy_s.LIBCPMT ref: 00007FF6F8FE3D11

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: f97e9080eea9c82f43a1d47678935845a7e3fdaa3abc55778520c10378280824
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: B0C10972B1A6868BDB24CF29E04866AB791F7947D4F448138DB5E83784EF3DE904CB44

Function 00007FF6F8FCA4E4 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

unknown header flags set, xrefs: 00007FF6F8FCA535
header crc mismatch, xrefs: 00007FF6F8FCA991
, xrefs: 00007FF6F8FCA5CB

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction ID: ba4be0a5d1062f42625c942f6d1bdac7b68e73da031ffde5c3ce1ae7f56cd811
Opcode Fuzzy Hash: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction Fuzzy Hash: A0F1F5B2A093C58FE7918F259089B3A3AA9FF46790F0541B4DA59873D2EF38E740D744

Function 00007FF6F8FE9798 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6F8FE99E7
RaiseException.KERNEL32 ref: 00007FF6F8FE99F8

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction ID: 81e090dbbae496a0a9bad01a34f66a973e59e92f5e59deea95d32609e3ecea21
Opcode Fuzzy Hash: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction Fuzzy Hash: F9B17A73A05B898FEB15CF29C88A36C3BA0F784B98F148861DA6D837A4DF39D451C714

Function 00007FF6F8FD3A14 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6F8FD3DC4
, xrefs: 00007FF6F8FD3B82

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction ID: 8b3f71b25ddbc40bc48c9e5da1a74213befa65faebb2542ded7e35d2d42761eb
Opcode Fuzzy Hash: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction Fuzzy Hash: 59E1B437A0A6464BDB688B35845013DA3A2FB45BE4F140275DF6E876D4FF29D842E708

Function 00007FF6F8FCA34B Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

incorrect header check, xrefs: 00007FF6F8FCA4CB
invalid window size, xrefs: 00007FF6F8FCA4B2

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction ID: 49410a244fa7b68bbbde64872d487c127d0a5c8c6a3179ae4548e22ce4a4eb8e
Opcode Fuzzy Hash: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction Fuzzy Hash: C391E972A192D68FE7A48E24D44DB3E3A99FB413A0F114175DA6A877C1EF38E740DB04

Function 00007FF6F8FDDF60 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF6F8FDE0EA
e+000, xrefs: 00007FF6F8FDE06D

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction ID: f900690daa31e34c5b053161bfe87d2857f3b7d3dee0b77bd49d81984fbb2d36
Opcode Fuzzy Hash: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction Fuzzy Hash: 9C515873B192C14AE7258A3598057697B92E744BE4F48D2B1CBBC87AC5EE7DE040D704

Function 00007FF6F8FDDACC Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6F8FDDE0E

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: 89bc0aa122ac7623428c640e250105313200cf4e574cb8dd0bf301af48d81709
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: 6AA13473A0A7864BEB21DB39A4007A97B92AB647E4F048071DFAD877C5EE3DE501D304

Function 00007FF6F8FD8804 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF6F8FD8823

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
Instruction ID: b51bf62687ed4ef080b19796234d327c8d4a8913ccf56a619b14a74303404193
Opcode Fuzzy Hash: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
Instruction Fuzzy Hash: 6851B222F3A34249FB64AB36590117A52926F44BE4F5889B4DF6DC37D2FE3CE441620D

Function 00007FF6F8FE34F0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6F8FE34F4

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction ID: 89ed36b8e632263b21bcc9a4d03b032f4ed92bea1c049ddce3837032af29f59b
Opcode Fuzzy Hash: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction Fuzzy Hash: BCB09230E0BA02C6EB0A2F216C8621822A57F48750FD80178C02C92370EE2C20E56710

Function 00007FF6F8FD3610 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction ID: ee98b5721b11829a6b496a2f2034f1683a66eb80f52a1677c094bd7c7a09d714
Opcode Fuzzy Hash: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction Fuzzy Hash: 3FD1B673A0A6424BEB688B35805063DA3A2AB45BE8F144275CF2D876D5FF39E845E304

Function 00007FF6F8FC9870 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction ID: bf4231f53255827578622fab97121409db7011dc48d5ba60b94974aca503576f
Opcode Fuzzy Hash: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction Fuzzy Hash: C6C1B0762181E08BD289EB29E47947A73D0F78934DB95406BEF87477C6CB3CA514EB10

Function 00007FF6F8FD2C80 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction ID: e625b35af324e6c6473e2d9626592d197bfdf87ee1c4a66917595f7788e33e0f
Opcode Fuzzy Hash: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction Fuzzy Hash: D0B17E73A0A78589E7658F39C05012C3BA2E749BA8F240575CB5DC73D9EF39E441E788

Function 00007FF6F8FDE5E0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction ID: 6e28d21e55fdb13beb8583e324825cd85afa987439cbfcc6987b1f83d3a6b69c
Opcode Fuzzy Hash: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction Fuzzy Hash: 64811573A193814AE7B4CB3994403797A92FB457E4F544275DBAE87BC5EE3CE4009B04

Function 00007FF6F8FE6488 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0ac6b4c320f8a85a272a2d207e476957e076465a5e78eda0eae0a584ad6410a5
Instruction ID: 6e6c3cfe5588313fc2ea21ad217beec1bbf0a225eddf892c9b588091a7d3a0bb
Opcode Fuzzy Hash: 0ac6b4c320f8a85a272a2d207e476957e076465a5e78eda0eae0a584ad6410a5
Instruction Fuzzy Hash: D761D732F1A29A4EF7649E38845423D6681AF507F0F1542B9D63ECB6D5FE6DE800E708

Function 00007FF6F8FD19B4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: 47ce34e9f6320e7770177d897ae019cb49faab06c448b915803f0f4a43dfa7a1
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: D8517137E196528AE7248B39C04022873A2EB45BB8F244171CF5D977D4EF3AE893D744

Function 00007FF6F8FD21D4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 036cfd047d33f05f0cd653dcfec52773de3161e86094d466f88402465b8a7259
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 8E515E33A196518AE7248B39C04022C23A2EB54BA9F244171DF6DC77D4EF3AF843E794

Function 00007FF6F8FD1DC4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 15dff0fa1491abbf39108222ac17a49f74489d8243610fac1bc39837d3ad62fe
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 35516537E1965389E7248B39D04022873A2EB44BB8F244171CF5D877D4EF3AE892D744

Function 00007FF6F8FD1BC0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 0a0d6cd2771cacdb83a089ee22c6519bf96a07f7e5c22160021c5c4f53f69e39
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: 52518233E196528AE7248B39C04026877A2EB45BA8F244171CF5D977D4EF3AE883D748

Function 00007FF6F8FD17B0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: dac0bd97138b41c835c5d9112fe3db38e16aeca6aa187689fa04f55a3f780994
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: 33519637E1965289E7248B39D04023CA7A2EB44BA8F349171CF5C977D4DF3AE892E744

Function 00007FF6F8FD1FD0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 73f0aa16203bf22922b0614033eefc88e68e48e7e468f936861ca94797a2d97c
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: FA518237A1965189E7248B39C44422827A2EB44BA8F249171CB5CD77E4EF3AFC43D784

Function 00007FF6F8FD5DA0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 49a07dce7747bf1b25b83cd957e0196a42a88f975bc28152c16877815ab73156
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 4741947380B64A4CFB6599380D046B857829F6ABF1E5853F0DEB9DB3C2FD0C29869109

Function 00007FF6F8FD9F10 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction ID: 8cc4e547a090c2c295504664865bfee6f4e9bf4a4361664e117f3e206f46c0f0
Opcode Fuzzy Hash: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction Fuzzy Hash: 86410333715A5586EF04CF7ADA55169B3A2BB88FE0B099032DE1DD7B98EE3CC4419308

Function 00007FF6F8FD8154 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
Instruction ID: 9e645e32f8866a2f2b762b8f132c5cc37058a49e9bfd552d82c20d73cf851bb2
Opcode Fuzzy Hash: 12404f4f4f1323fea4d4e583727f71dd7b5a0d93f2e51056eadc76cf5c92dd81
Instruction Fuzzy Hash: A931C733B2AB4285E7649F35684013D76D6AB85BE0F144279EB6D93BD5EF3CD1025308

Function 00007FF6F8FE95E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction ID: e9a0f0b62c49c40139d74d10dfcad6e2c659da09ed5d860059f22c2999128a1a
Opcode Fuzzy Hash: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction Fuzzy Hash: 22F068717282568ADB998F69A84262977D0F7083C0F40A03DD59DC3B58EE3CD0619F04

Function 00007FF6F8FCD37C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction ID: 4501398c0426ae015565f16186abe0b17790bb0849d542c462c54715d4dfec75
Opcode Fuzzy Hash: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction Fuzzy Hash: A0A00131A0E80AD8E7459B20A8900292320BB513A4B8000B1E02D970E5AE2DA600A318

Function 00007FF6F8FC5820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF6F8FC64BF,?,00007FF6F8FC336E), ref: 00007FF6F8FC5830
GetLastError.KERNEL32(?,00007FF6F8FC64BF,?,00007FF6F8FC336E), ref: 00007FF6F8FC5842
GetProcAddress.KERNEL32(?,00007FF6F8FC64BF,?,00007FF6F8FC336E), ref: 00007FF6F8FC5879
GetLastError.KERNEL32(?,00007FF6F8FC64BF,?,00007FF6F8FC336E), ref: 00007FF6F8FC588B
GetProcAddress.KERNEL32(?,00007FF6F8FC64BF,?,00007FF6F8FC336E), ref: 00007FF6F8FC58A4
GetLastError.KERNEL32(?,00007FF6F8FC64BF,?,00007FF6F8FC336E), ref: 00007FF6F8FC58B6
GetProcAddress.KERNEL32(?,00007FF6F8FC64BF,?,00007FF6F8FC336E), ref: 00007FF6F8FC58CF
GetLastError.KERNEL32(?,00007FF6F8FC64BF,?,00007FF6F8FC336E), ref: 00007FF6F8FC58E1
GetProcAddress.KERNEL32(?,00007FF6F8FC64BF,?,00007FF6F8FC336E), ref: 00007FF6F8FC58FD
GetLastError.KERNEL32(?,00007FF6F8FC64BF,?,00007FF6F8FC336E), ref: 00007FF6F8FC590F
GetProcAddress.KERNEL32(?,00007FF6F8FC64BF,?,00007FF6F8FC336E), ref: 00007FF6F8FC592B
GetLastError.KERNEL32(?,00007FF6F8FC64BF,?,00007FF6F8FC336E), ref: 00007FF6F8FC593D
GetProcAddress.KERNEL32(?,00007FF6F8FC64BF,?,00007FF6F8FC336E), ref: 00007FF6F8FC5959
GetLastError.KERNEL32(?,00007FF6F8FC64BF,?,00007FF6F8FC336E), ref: 00007FF6F8FC596B
GetProcAddress.KERNEL32(?,00007FF6F8FC64BF,?,00007FF6F8FC336E), ref: 00007FF6F8FC5987
GetLastError.KERNEL32(?,00007FF6F8FC64BF,?,00007FF6F8FC336E), ref: 00007FF6F8FC5999
GetProcAddress.KERNEL32(?,00007FF6F8FC64BF,?,00007FF6F8FC336E), ref: 00007FF6F8FC59B5
GetLastError.KERNEL32(?,00007FF6F8FC64BF,?,00007FF6F8FC336E), ref: 00007FF6F8FC59C7

Strings

Py_PreInitialize, xrefs: 00007FF6F8FC594F, 00007FF6F8FC5971
PyEval_EvalCode, xrefs: 00007FF6F8FC5BA5, 00007FF6F8FC5BC7
PyImport_ImportModule, xrefs: 00007FF6F8FC5C2F, 00007FF6F8FC5C51
PyErr_Print, xrefs: 00007FF6F8FC5B49, 00007FF6F8FC5B6B
Py_DecodeLocale, xrefs: 00007FF6F8FC586F, 00007FF6F8FC5891
Py_InitializeFromConfig, xrefs: 00007FF6F8FC58F3, 00007FF6F8FC5915
PyUnicode_Decode, xrefs: 00007FF6F8FC5EE1, 00007FF6F8FC5F03
PyMarshal_ReadObjectFromString, xrefs: 00007FF6F8FC5C5D, 00007FF6F8FC5C7F
PyObject_SetAttrString, xrefs: 00007FF6F8FC5D71, 00007FF6F8FC5D93
PyObject_CallFunctionObjArgs, xrefs: 00007FF6F8FC5D15, 00007FF6F8FC5D37
Failed to get address for %hs, xrefs: 00007FF6F8FC5851
PyImport_AddModule, xrefs: 00007FF6F8FC5BD3, 00007FF6F8FC5BF5
PyStatus_Exception, xrefs: 00007FF6F8FC5E29, 00007FF6F8FC5E4B
PyErr_Clear, xrefs: 00007FF6F8FC5A91, 00007FF6F8FC5AB3
Py_DecRef, xrefs: 00007FF6F8FC5826, 00007FF6F8FC5848
PyUnicode_AsUTF8, xrefs: 00007FF6F8FC5EB3, 00007FF6F8FC5ED5
PyImport_ExecCodeModule, xrefs: 00007FF6F8FC5C01, 00007FF6F8FC5C23
PyModule_GetDict, xrefs: 00007FF6F8FC5CB9, 00007FF6F8FC5CDB
PyErr_Restore, xrefs: 00007FF6F8FC5B77, 00007FF6F8FC5B99
PyUnicode_DecodeFSDefault, xrefs: 00007FF6F8FC5F0F, 00007FF6F8FC5F31
PySys_GetObject, xrefs: 00007FF6F8FC5E57, 00007FF6F8FC5E79
PyConfig_SetString, xrefs: 00007FF6F8FC5A35, 00007FF6F8FC5A57
Py_IsInitialized, xrefs: 00007FF6F8FC5921, 00007FF6F8FC5943
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF6F8FC5DCD, 00007FF6F8FC5DEF
PyObject_Str, xrefs: 00007FF6F8FC5D9F, 00007FF6F8FC5DC1
PyConfig_SetWideStringList, xrefs: 00007FF6F8FC5A63, 00007FF6F8FC5A85
PyErr_Occurred, xrefs: 00007FF6F8FC5B1B, 00007FF6F8FC5B3D
PyErr_Fetch, xrefs: 00007FF6F8FC5ABF, 00007FF6F8FC5AE1
PyUnicode_Replace, xrefs: 00007FF6F8FC5FC7, 00007FF6F8FC5FE9
PyObject_GetAttrString, xrefs: 00007FF6F8FC5D43, 00007FF6F8FC5D65
PyObject_CallFunction, xrefs: 00007FF6F8FC5CE7, 00007FF6F8FC5D09
PyConfig_SetBytesString, xrefs: 00007FF6F8FC5A07, 00007FF6F8FC5A29
PyErr_NormalizeException, xrefs: 00007FF6F8FC5AED, 00007FF6F8FC5B0F
PyConfig_InitIsolatedConfig, xrefs: 00007FF6F8FC59AB, 00007FF6F8FC59CD
PyUnicode_FromString, xrefs: 00007FF6F8FC5F6B, 00007FF6F8FC5F8D
PyUnicode_FromFormat, xrefs: 00007FF6F8FC5F3D, 00007FF6F8FC5F5F
PyConfig_Clear, xrefs: 00007FF6F8FC597D, 00007FF6F8FC599F
GetProcAddress, xrefs: 00007FF6F8FC5858
PyRun_SimpleStringFlags, xrefs: 00007FF6F8FC5DFB, 00007FF6F8FC5E1D
PyUnicode_Join, xrefs: 00007FF6F8FC5F99, 00007FF6F8FC5FBB
PyConfig_Read, xrefs: 00007FF6F8FC59D9, 00007FF6F8FC59FB
Py_ExitStatusException, xrefs: 00007FF6F8FC589A, 00007FF6F8FC58BC
PySys_SetObject, xrefs: 00007FF6F8FC5E85, 00007FF6F8FC5EA7
Py_Finalize, xrefs: 00007FF6F8FC58C5, 00007FF6F8FC58E7
PyMem_RawFree, xrefs: 00007FF6F8FC5C8B, 00007FF6F8FC5CAD

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: 2839923c100d93d51db0af3ae7e27babec139cc254b7b0e2366d3da423f9c187
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: C0228F3491FB4799FB559B75AC6017422A0BF097E1B9414B5D93EA32E1FF3CB248A308

Function 00007FF6F8FC81C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F8FC9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6F8FC45E4,00000000,00007FF6F8FC1985), ref: 00007FF6F8FC9439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6F8FC88A7,?,?,00000000,00007FF6F8FC3CBB), ref: 00007FF6F8FC821C

Part of subcall function 00007FF6F8FC2810: MessageBoxW.USER32 ref: 00007FF6F8FC28EA

Strings

LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6F8FC8230
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6F8FC81F3
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF6F8FC8363
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6F8FC82C9
%.*s, xrefs: 00007FF6F8FC82FC
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF6F8FC828D
\, xrefs: 00007FF6F8FC8251
CreateDirectory, xrefs: 00007FF6F8FC836C

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction ID: 0a0680fe2af0631febaf8a6eaeaa741b9b9a6a22072283b43a4e9998d575944c
Opcode Fuzzy Hash: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction Fuzzy Hash: 5151C631B3B64289EB10AB35D8552BA6251EF957E0F440472D62EC36D6FF3CE304A318

Function 00007FF6F8FC2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6F8FC21AB
SelectObject.GDI32 ref: 00007FF6F8FC21F2
DrawTextW.USER32 ref: 00007FF6F8FC2215
SelectObject.GDI32 ref: 00007FF6F8FC222B
ReleaseDC.USER32 ref: 00007FF6F8FC223B
MoveWindow.USER32 ref: 00007FF6F8FC228B
MoveWindow.USER32 ref: 00007FF6F8FC22CB
MoveWindow.USER32 ref: 00007FF6F8FC231E
MoveWindow.USER32 ref: 00007FF6F8FC2366

Strings

P%, xrefs: 00007FF6F8FC21FF

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: d3a532869f35a9fc1027a11281de787581ce46f089df358a84ab756fbf7ea3a8
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 985117366047A186D7249F32E4181BAB7A1F798BA1F004121EBEE83794EF3CD145DB14

Function 00007FF6F8FC80B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6F8FC80EF
GetWindowLongPtrW.USER32 ref: 00007FF6F8FC816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF6F8FC8182
GetLastError.KERNEL32 ref: 00007FF6F8FC818C
SetWindowLongPtrW.USER32 ref: 00007FF6F8FC81A3

Strings

Needs to remove its temporary files., xrefs: 00007FF6F8FC8175

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: 939262db5b177b7ae8f3bed5257103ccc34cdb214619a5d7d9ba84de179a759a
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: 3E218631B2AA438AE7454B7AA8541796290EF89BF0F484171DA3DC37D5FE2CD7909309

Function 00007FF6F8FD6300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD6343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD6730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD69CC

Strings

-, xrefs: 00007FF6F8FD63D9
:, xrefs: 00007FF6F8FD64FC
f, xrefs: 00007FF6F8FD6465
p, xrefs: 00007FF6F8FD63F5
p, xrefs: 00007FF6F8FD646D

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 3213a00004f2362a6eae9eb7c2a77de26c26a0b807dfa1c1298ee1e38b09f59b
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 4E129673E0E1438AFB605A34D1542797693FB407A4F844175E7AA8B6C4FF3CE580AB89

Function 00007FF6F8FD1038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD1078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD1440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD16DF

Strings

p, xrefs: 00007FF6F8FD111D
f, xrefs: 00007FF6F8FD1110
f, xrefs: 00007FF6F8FD117A
f, xrefs: 00007FF6F8FD12C5
p, xrefs: 00007FF6F8FD1182

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 3b1d6e29c0ecb4e37dd093eddd98ac11c1661d28b41c5afbfb8776108275b7a9
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 9C128533E0E14389FB20AA65D054679A263FB417A4F884075E7A9C79C4FF7CE4D0AB18

Function 00007FF6F8FC1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6F8FC10CC
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6F8FC1098
fseek, xrefs: 00007FF6F8FC10D3
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6F8FC11F6
fread, xrefs: 00007FF6F8FC11FD
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6F8FC1108
malloc, xrefs: 00007FF6F8FC110F

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 53d1e4d2edf0062f7230160cf0d8e608199b832438cf6a3aedd647e8abf4d892
Instruction ID: ef2aae89ce2ae6569f53a3d5268038138851f9219d73e03bf66616052b828388
Opcode Fuzzy Hash: 53d1e4d2edf0062f7230160cf0d8e608199b832438cf6a3aedd647e8abf4d892
Instruction Fuzzy Hash: B241A132E0A65289EB00DB31A8005B96395FF45BE4F9444B1EE6C877D6FE3CE341A748

Function 00007FF6F8FC1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6F8FC14DE
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6F8FC149F
fseek, xrefs: 00007FF6F8FC14E5
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6F8FC15DF
fread, xrefs: 00007FF6F8FC15E6
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6F8FC1518
malloc, xrefs: 00007FF6F8FC151F

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 9c0a33a636d22d269d029a952bcb6a186b4f055325f6749c3ab7856a71983fc4
Instruction ID: 91135368ac85a72a201f5b838733ac467a29f088091ea061453af8780feae2d5
Opcode Fuzzy Hash: 9c0a33a636d22d269d029a952bcb6a186b4f055325f6749c3ab7856a71983fc4
Instruction Fuzzy Hash: 21419F32A0A64289EB10DB3194001B96391EF457E4F844872EE6D97BD6FF3CE752A748

Function 00007FF6F8FCEA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6F8FCEAD5

Part of subcall function 00007FF6F8FCFA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF6F8FCFA6F
Part of subcall function 00007FF6F8FCFA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6F8FCFA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6F8FCEBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6F8FCEDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6F8FCEF08

Strings

csm, xrefs: 00007FF6F8FCEAEF
csm, xrefs: 00007FF6F8FCEBD0
csm, xrefs: 00007FF6F8FCEB56

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: e52eb737f97348e0514fe5449b624122e5ca7df51ce286198ebecb7460d3504d
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: 11D16E72A097818AEB209B35D4403AD77A0FB467E8F100175EA5EA7BD6EF38E351D704

Function 00007FF6F8FC2C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6F8FC3706,?,00007FF6F8FC3804), ref: 00007FF6F8FC2C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6F8FC3706,?,00007FF6F8FC3804), ref: 00007FF6F8FC2D63
MessageBoxW.USER32 ref: 00007FF6F8FC2D99

Strings

Error, xrefs: 00007FF6F8FC2D8C
[PYI-%d:ERROR] , xrefs: 00007FF6F8FC2CA6
<FormatMessageW failed.>, xrefs: 00007FF6F8FC2D70
%ls: , xrefs: 00007FF6F8FC2D22

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: 27d9f111168e44c07ad699636d844129969e1e976b4f507dfee850a47d5346be
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: 8331E533B09A4146E7209B35A8002AA6791BF89BE8F400136EF5DD3799FE3CD606D304

Function 00007FF6F8FCDD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6F8FCDFEA,?,?,?,00007FF6F8FCDCDC,?,?,?,00007FF6F8FCD8D9), ref: 00007FF6F8FCDDBD
GetLastError.KERNEL32(?,?,?,00007FF6F8FCDFEA,?,?,?,00007FF6F8FCDCDC,?,?,?,00007FF6F8FCD8D9), ref: 00007FF6F8FCDDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF6F8FCDFEA,?,?,?,00007FF6F8FCDCDC,?,?,?,00007FF6F8FCD8D9), ref: 00007FF6F8FCDDF5
FreeLibrary.KERNEL32(?,?,?,00007FF6F8FCDFEA,?,?,?,00007FF6F8FCDCDC,?,?,?,00007FF6F8FCD8D9), ref: 00007FF6F8FCDE63
GetProcAddress.KERNEL32(?,?,?,00007FF6F8FCDFEA,?,?,?,00007FF6F8FCDCDC,?,?,?,00007FF6F8FCD8D9), ref: 00007FF6F8FCDE6F

Strings

api-ms-, xrefs: 00007FF6F8FCDDDD

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: 0625260f9fa965aeddc834177eb2ee98137bcfbead27f981c7857cf280a2b435
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: 5A318D31B1B60289EF12AB22A8005692394BF59BF0F494575DE3D973C6FF3CE645A318

Function 00007FF6F8FC6350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

LoadLibrary, xrefs: 00007FF6F8FC649E
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF6F8FC6446
ucrtbase.dll, xrefs: 00007FF6F8FC63CD
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6F8FC63B7
Failed to load Python DLL '%ls'., xrefs: 00007FF6F8FC6497
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF6F8FC63F7

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction ID: 782b79d011d6400a48db856800e551c3b91e2d2719bb6b09c579ac48dcdfc214
Opcode Fuzzy Hash: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
Instruction Fuzzy Hash: 97414C31A1AA8699EB21DB30E4542E96321FB553E4F800172EA6D836D6FF3CE715D344

Function 00007FF6F8FC2A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF6F8FC351A,?,00000000,00007FF6F8FC3F23), ref: 00007FF6F8FC2AA0

Strings

Warning [ANSI Fallback], xrefs: 00007FF6F8FC2B0F
WARNING, xrefs: 00007FF6F8FC2AAF
[PYI-%d:%s] , xrefs: 00007FF6F8FC2AA8
Warning, xrefs: 00007FF6F8FC2B1E
0, xrefs: 00007FF6F8FC2B16

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: 0a16deca5b66d52f32dd657097456bd85337bf7e49c7b6acb064cf8145156a9a
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: FF21A132A1A7818AE720DB61B8807E66394FB883D4F400172FE9CD3799EF3CD2499704

Function 00007FF6F8FDB1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6F8FDB1CF
FlsGetValue.KERNEL32 ref: 00007FF6F8FDB1E4
FlsSetValue.KERNEL32 ref: 00007FF6F8FDB205
FlsSetValue.KERNEL32 ref: 00007FF6F8FDB232
FlsSetValue.KERNEL32 ref: 00007FF6F8FDB243
FlsSetValue.KERNEL32 ref: 00007FF6F8FDB254
SetLastError.KERNEL32 ref: 00007FF6F8FDB26F

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 95e941e89c228e9c604249a81e4247bf93b8921c3316e711f137cef7aac77c3c
Instruction ID: 43464952b94671e58fd755fa5f3fc80385bd0db7ae31e8070c03678b378a3b69
Opcode Fuzzy Hash: 95e941e89c228e9c604249a81e4247bf93b8921c3316e711f137cef7aac77c3c
Instruction Fuzzy Hash: 77215C32E0E2068AF7656B72565513D51439F447F0F8447B4EA3EC7AD6FE2CA401A308

Function 00007FF6F8FE7DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6F8FE7E0D
GetLastError.KERNEL32 ref: 00007FF6F8FE7E19
CloseHandle.KERNEL32 ref: 00007FF6F8FE7E31
CreateFileW.KERNEL32 ref: 00007FF6F8FE7E5C
WriteConsoleW.KERNEL32 ref: 00007FF6F8FE7E7B

Strings

CONOUT$, xrefs: 00007FF6F8FE7E3D

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: 0688a89cb4248425465bac9d5e02a1bd9669e514f77c3768c64e7365bd7bae3e
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: 2B119331B19A418AE7518B62F85432962A0FB98BF4F440374EA6DD77E4EF3CD804C748

Function 00007FF6F8FC8560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF6F8FC9216), ref: 00007FF6F8FC8592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF6F8FC9216), ref: 00007FF6F8FC85E9

Part of subcall function 00007FF6F8FC9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6F8FC45E4,00000000,00007FF6F8FC1985), ref: 00007FF6F8FC9439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF6F8FC9216), ref: 00007FF6F8FC8678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF6F8FC9216), ref: 00007FF6F8FC86E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF6F8FC9216), ref: 00007FF6F8FC86F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF6F8FC9216), ref: 00007FF6F8FC870A

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction ID: 79080dbf39dbc966f2599f191691f0844786fb9f2205d050f1160a99c21f3aab
Opcode Fuzzy Hash: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction Fuzzy Hash: 8741A332B2A68249E7209B21A4406AA6394FF85BE4F440075DF6DD77CAFE3CD701D708

Function 00007FF6F8FDB338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6F8FD4F81,?,?,?,?,00007FF6F8FDA4FA,?,?,?,?,00007FF6F8FD71FF), ref: 00007FF6F8FDB347
FlsSetValue.KERNEL32(?,?,?,00007FF6F8FD4F81,?,?,?,?,00007FF6F8FDA4FA,?,?,?,?,00007FF6F8FD71FF), ref: 00007FF6F8FDB37D
FlsSetValue.KERNEL32(?,?,?,00007FF6F8FD4F81,?,?,?,?,00007FF6F8FDA4FA,?,?,?,?,00007FF6F8FD71FF), ref: 00007FF6F8FDB3AA
FlsSetValue.KERNEL32(?,?,?,00007FF6F8FD4F81,?,?,?,?,00007FF6F8FDA4FA,?,?,?,?,00007FF6F8FD71FF), ref: 00007FF6F8FDB3BB
FlsSetValue.KERNEL32(?,?,?,00007FF6F8FD4F81,?,?,?,?,00007FF6F8FDA4FA,?,?,?,?,00007FF6F8FD71FF), ref: 00007FF6F8FDB3CC
SetLastError.KERNEL32(?,?,?,00007FF6F8FD4F81,?,?,?,?,00007FF6F8FDA4FA,?,?,?,?,00007FF6F8FD71FF), ref: 00007FF6F8FDB3E7

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 6d8f3e74ebbb6b3e9df47af100808aa7e96d944c008937dd2b032c21f4d9a902
Instruction ID: bcab04d4469123d0f5c987ffa876864c6b2d648ac1e5d2f3ee3890c17fd8348d
Opcode Fuzzy Hash: 6d8f3e74ebbb6b3e9df47af100808aa7e96d944c008937dd2b032c21f4d9a902
Instruction Fuzzy Hash: AD114F32A0E6428AF7545B31565513D61439F447F0F9447B4EA3EC77D6FE2CA401B309

Function 00007FF6F8FC2910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6F8FC1B6A), ref: 00007FF6F8FC295E

Strings

%s: %s, xrefs: 00007FF6F8FC29E8
Error [ANSI Fallback], xrefs: 00007FF6F8FC29FF
Error, xrefs: 00007FF6F8FC2A0E
[PYI-%d:ERROR] , xrefs: 00007FF6F8FC2966

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: 41a62770f2343ee2fab64159cf4fff3e3d426efdebdb940fbb4aae5ff482113f
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: 1031E433B1A6815AE7209771A8402E66295BF897E4F400132FE9DD37DAFF3CD64A9304

Function 00007FF6F8FC2390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6F8FC23C8
DialogBoxIndirectParamW.USER32 ref: 00007FF6F8FC248E
DeleteObject.GDI32 ref: 00007FF6F8FC24C1
DestroyIcon.USER32 ref: 00007FF6F8FC24D3

Strings

Unhandled exception in script, xrefs: 00007FF6F8FC23F8

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction ID: 6a54537275556088d160171c82d4cac8b85a8c2b5722006ec349e286085a14d3
Opcode Fuzzy Hash: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction Fuzzy Hash: 48315F3260A6828DEB20DF31E8552F96361FF897D4F440175EA5D8BB9AEF3CD2059704

Function 00007FF6F8FC2B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF6F8FC918F,?,00007FF6F8FC3C55), ref: 00007FF6F8FC2BA0
MessageBoxW.USER32 ref: 00007FF6F8FC2C2A

Strings

[PYI-%d:%ls] , xrefs: 00007FF6F8FC2BA8
Warning, xrefs: 00007FF6F8FC2C1D
WARNING, xrefs: 00007FF6F8FC2BAF

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: 2fdf9d952f11bbeb2c87154ba9855e54e9b7cd9bfb30fbcc7a6fece1c81f1988
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: F021BF32709B4186E7219B24B8407AA63A4EB887D4F400132EA8D97796EE3CD215D704

Function 00007FF6F8FC2710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF6F8FC1B99), ref: 00007FF6F8FC2760

Strings

Error [ANSI Fallback], xrefs: 00007FF6F8FC27CF
[PYI-%d:%s] , xrefs: 00007FF6F8FC2768
Error, xrefs: 00007FF6F8FC27DE
ERROR, xrefs: 00007FF6F8FC276F

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: 0c65790412223f43e5fbaf767f8c593027f83f7588817b2579ac89079b7b8773
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: 2B21A332A1A78186E720DB61B8807E66394FB883D4F400171FE9CD3799EF3CD2559704

Function 00007FF6F8FD9AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6F8FD9B1D
GetProcAddress.KERNEL32 ref: 00007FF6F8FD9B33
FreeLibrary.KERNEL32 ref: 00007FF6F8FD9B5A

Strings

mscoree.dll, xrefs: 00007FF6F8FD9B14
CorExitProcess, xrefs: 00007FF6F8FD9B2C

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: bc0b1c3cec218d7142f798507101078a4c050b52984628e5117a98ced27e01a6
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 46F04F31B0A60685EB118B74E4593796360AF457F1F9402B5CA7EC76E4EF2CE148E308

Function 00007FF6F8FE93D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6F8FE9400
_set_statfp.LIBCMT ref: 00007FF6F8FE941B
_set_statfp.LIBCMT ref: 00007FF6F8FE9437
_set_statfp.LIBCMT ref: 00007FF6F8FE9473

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 0d1ffdbf451907a1e6c848d494fe6c87f829ca6a2d069e437cb7a2401328aa42
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: DB11C1B2F2EA1309F7541134D45E37920446F583F0F0486B4EA7E87ADBEE2CA951632C

Function 00007FF6F8FDB400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6F8FDA613,?,?,00000000,00007FF6F8FDA8AE,?,?,?,?,?,00007FF6F8FDA83A), ref: 00007FF6F8FDB41F
FlsSetValue.KERNEL32(?,?,?,00007FF6F8FDA613,?,?,00000000,00007FF6F8FDA8AE,?,?,?,?,?,00007FF6F8FDA83A), ref: 00007FF6F8FDB43E
FlsSetValue.KERNEL32(?,?,?,00007FF6F8FDA613,?,?,00000000,00007FF6F8FDA8AE,?,?,?,?,?,00007FF6F8FDA83A), ref: 00007FF6F8FDB466
FlsSetValue.KERNEL32(?,?,?,00007FF6F8FDA613,?,?,00000000,00007FF6F8FDA8AE,?,?,?,?,?,00007FF6F8FDA83A), ref: 00007FF6F8FDB477
FlsSetValue.KERNEL32(?,?,?,00007FF6F8FDA613,?,?,00000000,00007FF6F8FDA8AE,?,?,?,?,?,00007FF6F8FDA83A), ref: 00007FF6F8FDB488

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 3cf0457813ef902b4d16e29671bd05b92734aec0d3ae5f0b4a86182189680110
Instruction ID: 2287cbe5c270606af21996a8f31e829b33f81638ae6a97d845a9e7f345277490
Opcode Fuzzy Hash: 3cf0457813ef902b4d16e29671bd05b92734aec0d3ae5f0b4a86182189680110
Instruction Fuzzy Hash: 86117F32A0F60249FB58AB32595117961439F857F0F9883B4EA3EC76D7FE2CE411A309

Function 00007FF6F8FDB294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6F8FDB2A5
FlsSetValue.KERNEL32 ref: 00007FF6F8FDB2C4
FlsSetValue.KERNEL32 ref: 00007FF6F8FDB2EC
FlsSetValue.KERNEL32 ref: 00007FF6F8FDB2FD
FlsSetValue.KERNEL32 ref: 00007FF6F8FDB30E

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 58ce09dd5263def6ec13d4cefdd98fc26a3f0444d111e578bd11d526dfe727f7
Instruction ID: e0674b0438cd032f8d8ee9de05014654bc42030cdeeff1e350873a9a72123d04
Opcode Fuzzy Hash: 58ce09dd5263def6ec13d4cefdd98fc26a3f0444d111e578bd11d526dfe727f7
Instruction Fuzzy Hash: 9E110A33A0B2068DFB686632485667911434F553F0F8447B4DA3ECB6C2FD2CB401B319

Function 00007FF6F8FD6010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD6176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD622C

Strings

verbose, xrefs: 00007FF6F8FD6020

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: d2544c48e40b623fce19f28fdbf6c39a22d397cbde8998cd768fafa83e78c838
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 2D91EF33E0AA4689FB218E74D45037D3392AB04BE4F444176DBA9833C5EF3CE409A398

Function 00007FF6F8FDFC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FDFF17

Part of subcall function 00007FF6F8FD7AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD7AC9

Strings

ccs, xrefs: 00007FF6F8FDFE52
UTF-8, xrefs: 00007FF6F8FDFE96
UTF-16LEUNICODE, xrefs: 00007FF6F8FDFEB5

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: f2e1532bcf665b50175e45d034828ffead6cbe30c0b4d14eaf2d8fadb3b24dbe
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: 0481A033D0A2428EF7644E358110A7836A2EF117F8F5581B5DB29C72D9FF2DE901B249

Function 00007FF6F8FCD6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6F8FCD6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6F8FCD77A
RtlUnwindEx.KERNEL32 ref: 00007FF6F8FCD7D4

Strings

csm, xrefs: 00007FF6F8FCD761

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: e38c692e7f5fec0f0df669d2eb9d86f6bfa4a80c087f8b8fa234b8276a4070b8
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: 9251B132B1A6028EDB14AB26D404A3C3791EB45BE8F204171DA6E837C6FF7DEA41D704

Function 00007FF6F8FCF2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6F8FCF320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6F8FCF408

Strings

csm, xrefs: 00007FF6F8FCF45A
csm, xrefs: 00007FF6F8FCF342

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: 96df211bd7e9b2c1cb49423063961cdb6f48e53a7da95b359e11a261c03079dd
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: 4651C0729092828EEB648E31D044368B6A0EB56BF4F144175DA6DC37D6EF7CE760D708

Function 00007FF6F8FCEF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6F8FCEFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6F8FCEFF3

Strings

RCC, xrefs: 00007FF6F8FCEFC3
MOC, xrefs: 00007FF6F8FCEFBB

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: a32b8235480bca8b18fed944813f1bc66f2e875dac4f0acc57ac0daaeb25dd59
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: 3D61C532909BC585D7608B25E4403AAB7A0FB85BE4F044275EBAD57B96EF7CD390CB04

Function 00007FF6F8FC2810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF6F8FC28EA

Strings

[PYI-%d:%ls] , xrefs: 00007FF6F8FC2868
Error, xrefs: 00007FF6F8FC28DD
ERROR, xrefs: 00007FF6F8FC286F

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: fd34865ccc4e96d1cbc8cc089b0745a5e5bb70b0c320feb84ac0ad54ed61f2a3
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: AE21BF72B0AB4186E7219B24B8407AA63A0EB887D4F400132EE8D93796EE3CD259D704

Function 00007FF6F8FDC610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6F8FDC68F
WriteFile.KERNEL32 ref: 00007FF6F8FDC957
WriteFile.KERNEL32 ref: 00007FF6F8FDC99D
GetLastError.KERNEL32 ref: 00007FF6F8FDCA53

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: 72f8f0c9307196707e4c008e444fb4bd89f0cd03714720d84c323caa609966fc
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: B8D1EF72B1AA818EE711CF75D4402AC37A2FB457E8B448266DF6D97BC9EE38D006D344

Function 00007FF6F8FC20C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6F8FC20F4
SetWindowLongPtrW.USER32 ref: 00007FF6F8FC2116
GetWindowLongPtrW.USER32 ref: 00007FF6F8FC2140
InvalidateRect.USER32 ref: 00007FF6F8FC2160

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: d5510509f15800fef93886e1727109eb0e1698110381bf2ffb7c754eac7e4016
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 34112931E0D14286F7458B7AE5442B91291EF857E0F844071DB69C3BCAED3DD7D0A208

Function 00007FF6F8FE5B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6F8FE17D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FE1803

_get_daylight.LIBCMT ref: 00007FF6F8FE5CA4
_get_daylight.LIBCMT ref: 00007FF6F8FE5CB5

Strings

?, xrefs: 00007FF6F8FE5C35

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction ID: 15827894b1ea18be5239ef27084320fc7d05ab5afffc435a0e9c7cd78b87e503
Opcode Fuzzy Hash: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction Fuzzy Hash: D9412732A0A6824AFB209B35986137A6691EB84BF4F144275EF6C87AD5FF3CD441D704

Function 00007FF6F8FD9084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FD90B6

Part of subcall function 00007FF6F8FDA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF6F8FE2D92,?,?,?,00007FF6F8FE2DCF,?,?,00000000,00007FF6F8FE3295,?,?,?,00007FF6F8FE31C7), ref: 00007FF6F8FDA9CE
Part of subcall function 00007FF6F8FDA9B8: GetLastError.KERNEL32(?,?,?,00007FF6F8FE2D92,?,?,?,00007FF6F8FE2DCF,?,?,00000000,00007FF6F8FE3295,?,?,?,00007FF6F8FE31C7), ref: 00007FF6F8FDA9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6F8FCCC15), ref: 00007FF6F8FD90D4

Strings

C:\Users\user\Desktop\dipwo1iToJ.exe, xrefs: 00007FF6F8FD90C2

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\dipwo1iToJ.exe
API String ID: 3580290477-3430833846
Opcode ID: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction ID: 72fa5256b6f2b5a8f9787c85d27d651160e60dd8f2ed78ab12e5d1353a9fa9a5
Opcode Fuzzy Hash: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction Fuzzy Hash: FE41C033B0AB128AEB14DF75A8850BC27E6EF447E0B555075EA5E83BD5EE3CE4819304

Function 00007FF6F8FDCCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6F8FDCDBF
GetLastError.KERNEL32 ref: 00007FF6F8FDCDE1

Strings

U, xrefs: 00007FF6F8FDCD6B

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: 48fac81d15e44e86d21f11144b192d9ad0b39d90502aab037cf700a9b9876c14
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: F541A233B19A4189DB208F25E8443A96761FB987E4F804031EE5DC7798EF3CD502D744

Function 00007FF6F8FDF628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF6F8FDF668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6F8FDF6BA

Strings

:, xrefs: 00007FF6F8FDF67E

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 3c906c99ff6b46cc0de181ba7a1caf37579b2c2fe8814107475e6c290f9e88a5
Instruction ID: 19cd1f9d902066c444432efdff09eab3f2060ccd7f7c1c505b4ae22b8dddc4c4
Opcode Fuzzy Hash: 3c906c99ff6b46cc0de181ba7a1caf37579b2c2fe8814107475e6c290f9e88a5
Instruction Fuzzy Hash: 1C21F533A092818AEB208B31D04426D63B2FB84BE4F958075D7AD83AD4FF7CE945D744

Function 00007FF6F8FCFDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF6F8FCFE08
RaiseException.KERNEL32 ref: 00007FF6F8FCFE49

Strings

csm, xrefs: 00007FF6F8FCFE36

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: 105e95cd6dffc5be0e0ff72d7fe01e896b9adeada32da73cae847c7c3a5ae852
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: FC116032609B8182EB218F25F440259B7E0FB88BA4F584270DF9D47795EF7CC651CB04

Function 00007FF6F8FE07AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6F8FE07DC
GetDriveTypeW.KERNEL32 ref: 00007FF6F8FE081C

Strings

:, xrefs: 00007FF6F8FE0805

Memory Dump Source

Source File: 00000000.00000002.1809060909.00007FF6F8FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6F8FC0000, based on PE: true

Associated: 00000000.00000002.1809003889.00007FF6F8FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809090760.00007FF6F8FEB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F8FFE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809148599.00007FF6F9002000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1809223271.00007FF6F9004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6f8fc0000_dipwo1iToJ.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 192ce1f34f800994b92a4ed85f54dbaa3021da9638e98fe32a85f3f166ed694e
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: BB01713291A20389FB209B70946627E23A0FF947A4F800479D66DC76D1FE2CE505AB1C

Analysis Process: dipwo1iToJ.exePID: 792, Parent PID: 6864COMMON

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.3%
Total number of Nodes:	613
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFDFAAC0180 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32 ref: 00007FFDFAAC01A5

Memory Dump Source

Source File: 00000001.00000002.1790722712.00007FFDFAAB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 00007FFDFAAB0000, based on PE: true

Associated: 00000001.00000002.1790701930.00007FFDFAAB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792020766.00007FFDFAC0B000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792149222.00007FFDFAC10000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaab0000_dipwo1iToJ.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: b0054afb10e4f66619171edf603becae74e7afe6d3d72f3cb96377bce576b712
Instruction ID: b8259677ddcfeb011da559cefd05078b0364df0551de8710204ed560035a049a
Opcode Fuzzy Hash: b0054afb10e4f66619171edf603becae74e7afe6d3d72f3cb96377bce576b712
Instruction Fuzzy Hash: 30A11A28B0EB1785FF5D8B45E470B3932A0BF44B44F1945B5C96E877E8DF2CE5AA8240

Non-executed Functions

Function 00007FFDFA9918A0 Relevance: 13.9, APIs: 9, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyMem_Malloc.PYTHON312 ref: 00007FFDFA991903
PyType_IsSubtype.PYTHON312 ref: 00007FFDFA9919F6
PyType_IsSubtype.PYTHON312 ref: 00007FFDFA991A53
PyUnicode_FromKindAndData.PYTHON312 ref: 00007FFDFA991B24
PyMem_Free.PYTHON312 ref: 00007FFDFA991B32
PyMem_Realloc.PYTHON312 ref: 00007FFDFA991C1B
PyMem_Free.PYTHON312 ref: 00007FFDFA993A2D
PyErr_NoMemory.PYTHON312 ref: 00007FFDFA993A33

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Mem_$FreeSubtypeType_$DataErr_FromKindMallocMemoryReallocUnicode_
String ID:
API String ID: 3719493655-0
Opcode ID: 13b0b1041cca574ca06701db0d45e779ed743a60764eb712a04665505c58f9af
Instruction ID: 2f4357c40de8021982fb4c77d7aea91d0c6d702aa51da5456bf0cdb138713df5
Opcode Fuzzy Hash: 13b0b1041cca574ca06701db0d45e779ed743a60764eb712a04665505c58f9af
Instruction Fuzzy Hash: 4E02C472B0C542A2E76C8F15D464A7A36A5FF4D788FA84179D66EC67D8EF2CE844C300

Function 00007FFDFA993068 Relevance: 13.6, APIs: 9, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFDFA993084
memset.VCRUNTIME140 ref: 00007FFDFA9930A8
RtlCaptureContext.KERNEL32 ref: 00007FFDFA9930B1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDFA9930CB
RtlVirtualUnwind.KERNEL32 ref: 00007FFDFA99310C
memset.VCRUNTIME140 ref: 00007FFDFA99313F
IsDebuggerPresent.KERNEL32 ref: 00007FFDFA993160
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDFA993181
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDFA99318C

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 14da1239b2aff37f2225a2b2eb9612ff8327347efab586c9ed8106aec9f5eecf
Instruction ID: 2dfe41a001f4cc5c3193b8a9da1860b798d5b1370c4c9c27643e745cbcfd4971
Opcode Fuzzy Hash: 14da1239b2aff37f2225a2b2eb9612ff8327347efab586c9ed8106aec9f5eecf
Instruction Fuzzy Hash: 55315D72709B8196EB648F60E8607EE7364FB88748F84443ADA5E87A98DF3CD548C710

Function 00007FFDFAB29A70 Relevance: 12.4, APIs: 1, Strings: 7, Instructions: 398
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FFDFAB2A018

Strings

unopened, xrefs: 00007FFDFAB29ABD
invalid, xrefs: 00007FFDFAB29AB2
API call with %s database connection pointer, xrefs: 00007FFDFAB29AC4
NULL, xrefs: 00007FFDFAB29A9D
%s at line %d of [%.10s], xrefs: 00007FFDFAB29AEE
831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FFDFAB29AD5
misuse, xrefs: 00007FFDFAB29AE2

Memory Dump Source

Source File: 00000001.00000002.1790722712.00007FFDFAAB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 00007FFDFAAB0000, based on PE: true

Associated: 00000001.00000002.1790701930.00007FFDFAAB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792020766.00007FFDFAC0B000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792149222.00007FFDFAC10000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaab0000_dipwo1iToJ.jbxd

Similarity

API ID: memcpy
String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$API call with %s database connection pointer$NULL$invalid$misuse$unopened
API String ID: 3510742995-863375387
Opcode ID: ebcfd4d320c8a855c25bad2e79043b46f1baa289721c4d7e74e567b371a0d908
Instruction ID: 00f79db9ea3454904e6b6b86bc01703f5340b93b09724bc0b016f2391332a708
Opcode Fuzzy Hash: ebcfd4d320c8a855c25bad2e79043b46f1baa289721c4d7e74e567b371a0d908
Instruction Fuzzy Hash: 2402A129B08A8385FB5A9B119470BBA67D0BF84B84F9441B6DE7E076DDDF3DE4458300

Function 00007FFDFA9912F0 Relevance: 10.8, APIs: 7, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFDFA9918A0: PyMem_Malloc.PYTHON312 ref: 00007FFDFA991903
Part of subcall function 00007FFDFA9918A0: PyType_IsSubtype.PYTHON312 ref: 00007FFDFA9919F6
Part of subcall function 00007FFDFA9918A0: PyType_IsSubtype.PYTHON312 ref: 00007FFDFA991A53

PyMem_Malloc.PYTHON312 ref: 00007FFDFA991377
PyMem_Free.PYTHON312 ref: 00007FFDFA991487
PyErr_NoMemory.PYTHON312 ref: 00007FFDFA9938AD
_Py_Dealloc.PYTHON312 ref: 00007FFDFA9938C4

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Mem_$MallocSubtypeType_$DeallocErr_FreeMemory
String ID:
API String ID: 4139299733-0
Opcode ID: 4c1ab3a9ee10578f50e5ddcb80cbb1500edbf8f85856d8ea69ee8be7dac4cd66
Instruction ID: fcbf6a4374e7575978f99a24e47b5b06cc555c59cd20e26e669dca6715e7d078
Opcode Fuzzy Hash: 4c1ab3a9ee10578f50e5ddcb80cbb1500edbf8f85856d8ea69ee8be7dac4cd66
Instruction Fuzzy Hash: 2AE1E276F1C552A1EB6C8F159064E7A23A5FF48788FA401B9DA6FC66D8DF2DE841C300

Function 00007FFDFAAB6948 Relevance: 9.4, APIs: 2, Strings: 4, Instructions: 441COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00007FFDFAAB6AE7
VUUU, xrefs: 00007FFDFAAB6C09
0123456789ABCDEF0123456789abcdef, xrefs: 00007FFDFAAB6B9C
-x0, xrefs: 00007FFDFAAB6C7F

Memory Dump Source

Source File: 00000001.00000002.1790722712.00007FFDFAAB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 00007FFDFAAB0000, based on PE: true

Associated: 00000001.00000002.1790701930.00007FFDFAAB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792020766.00007FFDFAC0B000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792149222.00007FFDFAC10000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaab0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID: -x0$0123456789ABCDEF0123456789abcdef$VUUU$VUUU
API String ID: 0-2031831958
Opcode ID: 3d34d0e7b00230b3be4a4963189f5afe2a8e6f33793eb41f9f926aece0841a0b
Instruction ID: bb936027e455119ccfe1399d621340f0f3a1908a357bce59ebe735d198a67243
Opcode Fuzzy Hash: 3d34d0e7b00230b3be4a4963189f5afe2a8e6f33793eb41f9f926aece0841a0b
Instruction Fuzzy Hash: 3602062270C6C685DB69CB299060ABA7BA0FF497C4F0451B6DA9E437D9DF3DE44AC700

Function 00007FFDFA994804 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFDFA994849
PyUnicode_Compare.PYTHON312 ref: 00007FFDFA9948AC
_Py_Dealloc.PYTHON312 ref: 00007FFDFA9948C2

Strings

invalid normalization form, xrefs: 00007FFDFA994926
NFD, xrefs: 00007FFDFA9948EC
NFKC, xrefs: 00007FFDFA9948CC
NFC, xrefs: 00007FFDFA994835
NFKD, xrefs: 00007FFDFA994904

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: CompareUnicode_$DeallocStringWith
String ID: NFC$NFD$NFKC$NFKD$invalid normalization form
API String ID: 1004266020-3528878251
Opcode ID: cf64f6b9ab75cd253386f0f7453e80a2405618faa649494653d4230b278f9e28
Instruction ID: e9e541dd42809b4ca0b6a3d789bff9ed439ccdf8a2b29af5a90d395f2ff71b32
Opcode Fuzzy Hash: cf64f6b9ab75cd253386f0f7453e80a2405618faa649494653d4230b278f9e28
Instruction Fuzzy Hash: 45412621B08643A5EB699B11A4B0A396365AF8DB8DFD44075CD6EC77DCDF2DE408D310

Function 00007FFDFA9924D0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyModule_AddStringConstant.PYTHON312 ref: 00007FFDFA9924F0
PyType_FromSpec.PYTHON312 ref: 00007FFDFA992505
PyModule_AddType.PYTHON312 ref: 00007FFDFA99251D
_Py_Dealloc.PYTHON312 ref: 00007FFDFA993E86

Part of subcall function 00007FFDFA9925C0: _PyObject_GC_New.PYTHON312(?,?,00000000,00007FFDFA992533), ref: 00007FFDFA9925C6
Part of subcall function 00007FFDFA9925C0: PyObject_GC_Track.PYTHON312(?,?,00000000,00007FFDFA992533), ref: 00007FFDFA9925F8

PyModule_AddObject.PYTHON312 ref: 00007FFDFA992557
PyModule_AddObjectRef.PYTHON312 ref: 00007FFDFA99257F
_Py_Dealloc.PYTHON312 ref: 00007FFDFA993E95

Strings

_ucnhash_CAPI, xrefs: 00007FFDFA992575
ucd_3_2_0, xrefs: 00007FFDFA99254D
15.0.0, xrefs: 00007FFDFA9924DF
unidata_version, xrefs: 00007FFDFA9924E9

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Module_$DeallocObjectObject_$ConstantFromSpecStringTrackTypeType_
String ID: 15.0.0$_ucnhash_CAPI$ucd_3_2_0$unidata_version
API String ID: 2663085338-4141011787
Opcode ID: 6b398be3fd63e60b8eeee9a963b5b24ee277b0b0407f88d061c760d12a720801
Instruction ID: beba213a08e2cfadecc3d23717887f62fb0c312ff9d59f8b4b398d56c976d53c
Opcode Fuzzy Hash: 6b398be3fd63e60b8eeee9a963b5b24ee277b0b0407f88d061c760d12a720801
Instruction Fuzzy Hash: 30316325B0D603A6FB1D5F219875A792299AF4DB88FC440B4D92EC6AEDDF2DE4088301

Function 00007FFDFA9911B0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFDFA9911E2
PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFDFA9911FA
PyType_IsSubtype.PYTHON312 ref: 00007FFDFA99121D

Part of subcall function 00007FFDFA9912F0: PyMem_Malloc.PYTHON312 ref: 00007FFDFA991377
Part of subcall function 00007FFDFA9912F0: PyMem_Free.PYTHON312 ref: 00007FFDFA991487

PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFDFA99369B

Strings

invalid normalization form, xrefs: 00007FFDFA993733
NFD, xrefs: 00007FFDFA993691
NFKC, xrefs: 00007FFDFA9911F0
NFC, xrefs: 00007FFDFA9911D8
NFKD, xrefs: 00007FFDFA9936D7

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: CompareStringUnicode_With$Mem_$FreeMallocSubtypeType_
String ID: NFC$NFD$NFKC$NFKD$invalid normalization form
API String ID: 1723213316-3528878251
Opcode ID: 7d9693cf2d06923f90061d591c3b8a3e1c636af1e984342259c0b7d751c99e14
Instruction ID: 32d576ef8a95041be6d1df1877e2c6401b861b7688910244e0a0847e95f9a0f5
Opcode Fuzzy Hash: 7d9693cf2d06923f90061d591c3b8a3e1c636af1e984342259c0b7d751c99e14
Instruction Fuzzy Hash: 9E518421B0C25262FBA8AB159470E7E2295BF5EBCCFA451B5C96EC7ACDDF1CE4058300

Function 00007FFDFA9943F0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_PyArg_BadArgument.PYTHON312 ref: 00007FFDFA994420
PyType_IsSubtype.PYTHON312 ref: 00007FFDFA994483
PyUnicode_FromString.PYTHON312 ref: 00007FFDFA99449F

Strings

%04X, xrefs: 00007FFDFA994548
decomposition, xrefs: 00007FFDFA994419
a unicode character, xrefs: 00007FFDFA99440B
, xrefs: 00007FFDFA994533
argument, xrefs: 00007FFDFA994412

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Arg_ArgumentFromStringSubtypeType_Unicode_
String ID: $%04X$a unicode character$argument$decomposition
API String ID: 1318908108-4056541097
Opcode ID: a3cef0d0996400cfa83e251a2d781e139d471a14dd81ecf0aeeb3af5fef58597
Instruction ID: 6ea2119098a3d0ba68a4f1dbad3afd815dda4fb8f5f90fc6e2518899e1189858
Opcode Fuzzy Hash: a3cef0d0996400cfa83e251a2d781e139d471a14dd81ecf0aeeb3af5fef58597
Instruction Fuzzy Hash: AA41C961B08682A1EB298B15D4707B923A1FF8D798FC44275D97E876C8DF3CD559C300

Function 00007FFDFA992740 Relevance: 16.7, APIs: 11, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFDFA992768
__scrt_initialize_crt.LIBCMT ref: 00007FFDFA9927AD
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFDFA9927BA
_RTC_Initialize.LIBCMT ref: 00007FFDFA9927E8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFDFA99280E
__scrt_release_startup_lock.LIBCMT ref: 00007FFDFA992839

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: ba629577db6599826cb9fb44cf19b8c727e776d8ab71a1e0ce86f35fe3adb7c8
Instruction ID: 9f7575c6f4b3ce995ea4bfd5010fd311c85b30c5d9933aa7d43a4c0ed2e0e502
Opcode Fuzzy Hash: ba629577db6599826cb9fb44cf19b8c727e776d8ab71a1e0ce86f35fe3adb7c8
Instruction Fuzzy Hash: 52819521F0C643A6F75C9B669461ABA22D4AF4D788FD440B9D92CC77DEDE3CE8498300

Function 00007FFDFA9945B4 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_PyArg_CheckPositional.PYTHON312 ref: 00007FFDFA9945E7
_PyArg_BadArgument.PYTHON312 ref: 00007FFDFA99461C
_PyUnicode_ToDigit.PYTHON312 ref: 00007FFDFA99463E
PyErr_SetString.PYTHON312 ref: 00007FFDFA99465E
PyLong_FromLong.PYTHON312 ref: 00007FFDFA994678

Strings

a unicode character, xrefs: 00007FFDFA994607
not a digit, xrefs: 00007FFDFA994654
digit, xrefs: 00007FFDFA9945E0, 00007FFDFA99460E
argument 1, xrefs: 00007FFDFA994615

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Arg_$ArgumentCheckDigitErr_FromLongLong_PositionalStringUnicode_
String ID: a unicode character$argument 1$digit$not a digit
API String ID: 4245020737-4278345224
Opcode ID: 63a51ef3fb3b37699c37d838a5587871e01ab33192532b5daca7f17e7c8dcafb
Instruction ID: d55c76436e2100ade0e6ccc9f0d5d3ed2d91d8e571913bc535b4dd7a2ead898c
Opcode Fuzzy Hash: 63a51ef3fb3b37699c37d838a5587871e01ab33192532b5daca7f17e7c8dcafb
Instruction Fuzzy Hash: 1E214F71B08643A5EF298B65E4649792364EB9CB8CFC440B1C92EC76ECDF2CE449C700

Function 00007FFDFAB04AB0 Relevance: 15.3, APIs: 1, Strings: 9, Instructions: 325
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.VCRUNTIME140 ref: 00007FFDFAB04E18

Strings

Cannot add a column with non-constant default, xrefs: 00007FFDFAB04CAF
Cannot add a REFERENCES column with non-NULL default value, xrefs: 00007FFDFAB04C33
Cannot add a NOT NULL column with default value NULL, xrefs: 00007FFDFAB04C55
Cannot add a PRIMARY KEY column, xrefs: 00007FFDFAB04BC8
UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q, xrefs: 00007FFDFAB04E5C
cannot add a STORED column, xrefs: 00007FFDFAB04DB4
SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE quick_check GLOB 'CHECK*' OR quick_check GLOB 'NULL*', xrefs: 00007FFDFAB04F91
SELECT raise(ABORT,%Q) FROM "%w"."%w", xrefs: 00007FFDFAB04C3D, 00007FFDFAB04CB9, 00007FFDFAB04DC3
Cannot add a UNIQUE column, xrefs: 00007FFDFAB04BE3

Memory Dump Source

Source File: 00000001.00000002.1790722712.00007FFDFAAB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 00007FFDFAAB0000, based on PE: true

Associated: 00000001.00000002.1790701930.00007FFDFAAB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792020766.00007FFDFAC0B000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792149222.00007FFDFAC10000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaab0000_dipwo1iToJ.jbxd

Similarity

API ID: memcpy
String ID: Cannot add a NOT NULL column with default value NULL$Cannot add a PRIMARY KEY column$Cannot add a REFERENCES column with non-NULL default value$Cannot add a UNIQUE column$Cannot add a column with non-constant default$SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE quick_check GLOB 'CHECK*' OR quick_check GLOB 'NULL*'$SELECT raise(ABORT,%Q) FROM "%w"."%w"$UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q$cannot add a STORED column
API String ID: 3510742995-3865411212
Opcode ID: 6145248e7b04b0619e5a8fcb440d0d42fd806850070c73835079349b62662a14
Instruction ID: 3191a7c8aeace2f61cef0745ca32e1677939db9e5404d3cfb8333eaa35f6c712
Opcode Fuzzy Hash: 6145248e7b04b0619e5a8fcb440d0d42fd806850070c73835079349b62662a14
Instruction Fuzzy Hash: 90E1AD61B09B9285EB688B15A164BB933A5FB44BC4F8881B5CEAD077DDDF3CE855C300

Function 00007FFDFA9916F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyType_IsSubtype.PYTHON312 ref: 00007FFDFA9917C8
PyUnicode_FromString.PYTHON312 ref: 00007FFDFA99182C
_PyArg_BadArgument.PYTHON312 ref: 00007FFDFA9938EA

Strings

a unicode character, xrefs: 00007FFDFA9938D5
argument, xrefs: 00007FFDFA9938DC
category, xrefs: 00007FFDFA9938E3

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Arg_ArgumentFromStringSubtypeType_Unicode_
String ID: a unicode character$argument$category
API String ID: 1318908108-2068800536
Opcode ID: 75ddb3696b46489ca6549d465876fca1f165cfd7b87c949410c65a543f1dc5fb
Instruction ID: 085b22d9d41dd734e83d84fd49114e0f74a225cc7100149c7a93adbaa2a29e7d
Opcode Fuzzy Hash: 75ddb3696b46489ca6549d465876fca1f165cfd7b87c949410c65a543f1dc5fb
Instruction Fuzzy Hash: 3751D962B1864662EB5D8B06D470AB963A1FF48B88F940075DA6FCB7D8DF2CE855D300

Function 00007FFDFA991000 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyType_IsSubtype.PYTHON312 ref: 00007FFDFA9910D3
PyUnicode_FromString.PYTHON312 ref: 00007FFDFA9910F8
_PyArg_BadArgument.PYTHON312 ref: 00007FFDFA9935B0

Strings

a unicode character, xrefs: 00007FFDFA99359B
bidirectional, xrefs: 00007FFDFA9935A9
argument, xrefs: 00007FFDFA9935A2

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Arg_ArgumentFromStringSubtypeType_Unicode_
String ID: a unicode character$argument$bidirectional
API String ID: 1318908108-2110215792
Opcode ID: 6f7a0223ee0090118d1ffdd6d95c782b73d4ddee4bbf01c7b704a6e76ba36895
Instruction ID: 9e245fa9d0ebf974f6e4c019eec2f8b9f2b39a721fa3f7680717be1515acc6a5
Opcode Fuzzy Hash: 6f7a0223ee0090118d1ffdd6d95c782b73d4ddee4bbf01c7b704a6e76ba36895
Instruction Fuzzy Hash: 3241A265B1858262FBAC8B15C4B5B792361FF48798FD41079DA6FC36D8CF2DD8958300

Function 00007FFDFA991150 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 40COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON312 ref: 00007FFDFA993607
_PyArg_BadArgument.PYTHON312 ref: 00007FFDFA99363A

Part of subcall function 00007FFDFA9911B0: PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFDFA9911E2
Part of subcall function 00007FFDFA9911B0: PyUnicode_CompareWithASCIIString.PYTHON312 ref: 00007FFDFA9911FA
Part of subcall function 00007FFDFA9911B0: PyType_IsSubtype.PYTHON312 ref: 00007FFDFA99121D

Strings

str, xrefs: 00007FFDFA99362C
argument 2, xrefs: 00007FFDFA993625
argument 1, xrefs: 00007FFDFA993619
normalize, xrefs: 00007FFDFA9935FA, 00007FFDFA993633

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Arg_CompareStringUnicode_With$ArgumentCheckPositionalSubtypeType_
String ID: argument 1$argument 2$normalize$str
API String ID: 4101545800-1320425463
Opcode ID: 2dbf24b9019d36270aeee854f5eb720b9aec5d3fd397e623ab08701816bde558
Instruction ID: 469ab091ce4425b4194197d3526d0406cccbdcc53dd07648e7f012fbbc7ec5e1
Opcode Fuzzy Hash: 2dbf24b9019d36270aeee854f5eb720b9aec5d3fd397e623ab08701816bde558
Instruction Fuzzy Hash: B9115A60B08642A4EB588F16E4A1EBA2350BF09FC8FD48076D92D877DCDF2CD549C740

Function 00007FFDFA994764 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON312 ref: 00007FFDFA994790
_PyArg_BadArgument.PYTHON312 ref: 00007FFDFA9947C5

Strings

str, xrefs: 00007FFDFA9947B7
argument 2, xrefs: 00007FFDFA9947E6
argument 1, xrefs: 00007FFDFA9947B0
is_normalized, xrefs: 00007FFDFA994783, 00007FFDFA9947BE

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositional
String ID: argument 1$argument 2$is_normalized$str
API String ID: 3876575403-184702317
Opcode ID: a144f24e6de5b7cccd567b51e7b194ed070cb538066fb7292dbf1d4aae94f326
Instruction ID: 47877c697a82d1056138eaadb761b6e51d1d4752e7144382586f687758aaff80
Opcode Fuzzy Hash: a144f24e6de5b7cccd567b51e7b194ed070cb538066fb7292dbf1d4aae94f326
Instruction Fuzzy Hash: 0E016564B0868AA4EB588B12E4A0EB92350EB49FC8FD484B2D92D877DCDF2CD549C300

Function 00007FFDFAAEBBA4 Relevance: 9.4, APIs: 1, Strings: 5, Instructions: 354COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFDFAAEBC24

Strings

cannot release savepoint - SQL statements in progress, xrefs: 00007FFDFAAEFADF
statement aborts at %d: [%s] %s, xrefs: 00007FFDFAAF005F
no such savepoint: %s, xrefs: 00007FFDFAAEBCA4
cannot open savepoint - SQL statements in progress, xrefs: 00007FFDFAAEFABE
831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FFDFAAEFA92, 00007FFDFAAEFDF0

Memory Dump Source

Source File: 00000001.00000002.1790722712.00007FFDFAAB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 00007FFDFAAB0000, based on PE: true

Associated: 00000001.00000002.1790701930.00007FFDFAAB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792020766.00007FFDFAC0B000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792149222.00007FFDFAC10000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaab0000_dipwo1iToJ.jbxd

Similarity

API ID: memcpy
String ID: 831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$statement aborts at %d: [%s] %s
API String ID: 3510742995-2526444651
Opcode ID: c9d744cff9dc738ede1e2a386e920d6a7cb1c7740c9bf092cb904dc52b4c502a
Instruction ID: 83af84e35f060d2b2b919a921dffa423fa828a436be69683e1eee2aace3132b5
Opcode Fuzzy Hash: c9d744cff9dc738ede1e2a386e920d6a7cb1c7740c9bf092cb904dc52b4c502a
Instruction Fuzzy Hash: A0F1C032B0869685EB68CB26D0A4A7E77A4FB45B84F014071DE6D477D9DF3DE84ACB00

Function 00007FFDFAAE6B10 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 278COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFDFAAE6F2D

Strings

API called with finalized prepared statement, xrefs: 00007FFDFAAE6B41
API called with NULL prepared statement, xrefs: 00007FFDFAAE6B2B
%s at line %d of [%.10s], xrefs: 00007FFDFAAE6B79
831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FFDFAAE6B60
misuse, xrefs: 00007FFDFAAE6B6D

Memory Dump Source

Source File: 00000001.00000002.1790722712.00007FFDFAAB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 00007FFDFAAB0000, based on PE: true

Associated: 00000001.00000002.1790701930.00007FFDFAAB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792020766.00007FFDFAC0B000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792149222.00007FFDFAC10000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaab0000_dipwo1iToJ.jbxd

Similarity

API ID: memcpy
String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$API called with NULL prepared statement$API called with finalized prepared statement$misuse
API String ID: 3510742995-774319783
Opcode ID: c1f2e72d02041f634680d4dfe94196d23bd266405e708ce222b3484ffe9b10a2
Instruction ID: 9bd640ffffb9585e9bf70af9f11f27dc575a665d7f71242267a22291c02d17e1
Opcode Fuzzy Hash: c1f2e72d02041f634680d4dfe94196d23bd266405e708ce222b3484ffe9b10a2
Instruction Fuzzy Hash: DDE19122F09BC581E7198B29C6547BC7360FBA9B48F14A675DF9C13296EF38E5D98300

Function 00007FFDFA994690 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON312 ref: 00007FFDFA9946C0
PyType_IsSubtype.PYTHON312 ref: 00007FFDFA994720

Strings

a unicode character, xrefs: 00007FFDFA9946AB
argument, xrefs: 00007FFDFA9946B2
east_asian_width, xrefs: 00007FFDFA9946B9

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Arg_ArgumentSubtypeType_
String ID: a unicode character$argument$east_asian_width
API String ID: 1522575347-3913127203
Opcode ID: f8fe7d2390cefcda47379d0bc21b213a30bcd05f20e1989e4018474eb32f17be
Instruction ID: 23974e79e31051b3134d504bcecfbd40843bd7fdd54ac3d68cbd2b61b0f64ba2
Opcode Fuzzy Hash: f8fe7d2390cefcda47379d0bc21b213a30bcd05f20e1989e4018474eb32f17be
Instruction Fuzzy Hash: 6421C565F0CA82A1EB1D8B11947097D27A1EB8DB88FC480B1D62E836DCDF2CD595C740

Function 00007FFDFA994C58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON312 ref: 00007FFDFA994C84
_PyUnicode_ToNumeric.PYTHON312 ref: 00007FFDFA994CB7
PyErr_SetString.PYTHON312 ref: 00007FFDFA994CDF
PyFloat_FromDouble.PYTHON312 ref: 00007FFDFA994CF7

Strings

not a numeric character, xrefs: 00007FFDFA994CD5

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: DoubleErr_Float_FromNumericStringSubtypeType_Unicode_
String ID: not a numeric character
API String ID: 1034370217-2058156748
Opcode ID: 7ac3b2fdf3478d2374b08fe415c3a12b63c61252479e25d1cab849eb02e47f53
Instruction ID: e2ab323e57c8665bb2ac4427c65f17cc189c7135d8b1f30ab5a35928fe1cba94
Opcode Fuzzy Hash: 7ac3b2fdf3478d2374b08fe415c3a12b63c61252479e25d1cab849eb02e47f53
Instruction Fuzzy Hash: 77214821F18942A9E75E8B25D4709797294AF8CB8CF9480B1C93ED66DCEF2CE445C740

Function 00007FFDFA994354 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON312 ref: 00007FFDFA994380
_PyUnicode_ToDecimalDigit.PYTHON312 ref: 00007FFDFA99439F
PyErr_SetString.PYTHON312 ref: 00007FFDFA9943BF
PyLong_FromLong.PYTHON312 ref: 00007FFDFA9943D9

Strings

not a decimal, xrefs: 00007FFDFA9943B5

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: DecimalDigitErr_FromLongLong_StringSubtypeType_Unicode_
String ID: not a decimal
API String ID: 3750391552-3590249192
Opcode ID: babd95680f3a021cdbe90a8980b0a1372c723c98da362c4ed99ce49efb4cea9f
Instruction ID: 27225e001389b67dab779b459e81962898eb3d31d4131d2c8021c7d502917326
Opcode Fuzzy Hash: babd95680f3a021cdbe90a8980b0a1372c723c98da362c4ed99ce49efb4cea9f
Instruction Fuzzy Hash: 0A118921B18542A2EB1D9B35D57553D2395AF8CB8CF844470C96EC76D8DF2CE854C300

Function 00007FFDFA994A64 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON312 ref: 00007FFDFA994A9F
_PyArg_BadArgument.PYTHON312 ref: 00007FFDFA994AD4

Strings

a unicode character, xrefs: 00007FFDFA994ABF
argument 1, xrefs: 00007FFDFA994ACD
name, xrefs: 00007FFDFA994A98, 00007FFDFA994AC6

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositional
String ID: a unicode character$argument 1$name
API String ID: 3876575403-4190364640
Opcode ID: 788619a113f5b482446816568c8a6ce6929a34ab923ea752a318f2ec33933934
Instruction ID: 5fc2e56081311acc216506c79001e623a2c26be43e7c1ae4a9f817478b2d993e
Opcode Fuzzy Hash: 788619a113f5b482446816568c8a6ce6929a34ab923ea752a318f2ec33933934
Instruction Fuzzy Hash: C0118631B08642A5DB589F52E4519A97360FB8CBC8F984076DB2D8779DCF3CE595C700

Function 00007FFDFA9942A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON312 ref: 00007FFDFA9942DB
_PyArg_BadArgument.PYTHON312 ref: 00007FFDFA994310

Strings

decimal, xrefs: 00007FFDFA9942D4, 00007FFDFA994302
a unicode character, xrefs: 00007FFDFA9942FB
argument 1, xrefs: 00007FFDFA994309

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositional
String ID: a unicode character$argument 1$decimal
API String ID: 3876575403-2474051849
Opcode ID: 1e4fff75323d13296d4f9873b31303b2eb894daa88b12eee96b04a04f0936518
Instruction ID: 59709fff1c1aab12176d27fb75844f296243026fb494c7d32b6b9a2c3c8462ad
Opcode Fuzzy Hash: 1e4fff75323d13296d4f9873b31303b2eb894daa88b12eee96b04a04f0936518
Instruction Fuzzy Hash: A811B631B18652A5DB58DF52E5519AD7364FB88B88FC84072DA2D8379DCF3CD585C700

Function 00007FFDFA994BA4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON312 ref: 00007FFDFA994BDF
_PyArg_BadArgument.PYTHON312 ref: 00007FFDFA994C14

Strings

numeric, xrefs: 00007FFDFA994BD8, 00007FFDFA994C06
a unicode character, xrefs: 00007FFDFA994BFF
argument 1, xrefs: 00007FFDFA994C0D

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositional
String ID: a unicode character$argument 1$numeric
API String ID: 3876575403-2385192657
Opcode ID: bbdd109889d573d2d770b99f749a56ec45e44fab925d66d6427c2491f45a32cb
Instruction ID: 719a18f2965c1399069ce6cf3d9315ed2a6bb554ff81682274db70872e2949ae
Opcode Fuzzy Hash: bbdd109889d573d2d770b99f749a56ec45e44fab925d66d6427c2491f45a32cb
Instruction Fuzzy Hash: 32118631B08A52A5DB589F52E4519E97360FB8CBC8F984072DA2D8379DDF3CE599C700

Function 00007FFDFA994970 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON312 ref: 00007FFDFA9949A0
PyErr_Occurred.PYTHON312 ref: 00007FFDFA9949CF

Strings

mirrored, xrefs: 00007FFDFA994999
a unicode character, xrefs: 00007FFDFA99498B
argument, xrefs: 00007FFDFA994992

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Arg_ArgumentErr_Occurred
String ID: a unicode character$argument$mirrored
API String ID: 3979797681-4001128513
Opcode ID: 450df9025a0dac1254f35d1cfdfe59c877f6086a6bdfc57fc8ee28b17aa84801
Instruction ID: cff5a692ca282c043eff092c8ea46b8aac95efc57c4c8e7013e47b7f0ba23bc7
Opcode Fuzzy Hash: 450df9025a0dac1254f35d1cfdfe59c877f6086a6bdfc57fc8ee28b17aa84801
Instruction Fuzzy Hash: A901B520F08A42A2EB1C8B2598709B92290FF8CB5CFC082B1D56DC32DDCE2CD595C300

Function 00007FFDFA9941B4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON312 ref: 00007FFDFA9941E4
PyErr_Occurred.PYTHON312 ref: 00007FFDFA994213

Strings

combining, xrefs: 00007FFDFA9941DD
a unicode character, xrefs: 00007FFDFA9941CF
argument, xrefs: 00007FFDFA9941D6

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Arg_ArgumentErr_Occurred
String ID: a unicode character$argument$combining
API String ID: 3979797681-4202047184
Opcode ID: 23a79bd7f21a28e7400453b17a2d46dedd5221c58aaec7069aa9642920e7cd67
Instruction ID: 581b5b514f03b4108751be0e575d21a9df1cf57e8471f51823c687d3f15b6ca4
Opcode Fuzzy Hash: 23a79bd7f21a28e7400453b17a2d46dedd5221c58aaec7069aa9642920e7cd67
Instruction Fuzzy Hash: A2019E24F08642A1EB2C8B61A8709BD22A0FF9D75CFC006B5C52DC32CCDE2CE598C710

Function 00007FFDFA992630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON312(?,?,00000000,00007FFDFA99256A), ref: 00007FFDFA99263B
PyCapsule_New.PYTHON312(?,?,00000000,00007FFDFA99256A), ref: 00007FFDFA992678
PyErr_NoMemory.PYTHON312(?,?,00000000,00007FFDFA99256A), ref: 00007FFDFA993EC8
PyMem_Free.PYTHON312(?,?,00000000,00007FFDFA99256A), ref: 00007FFDFA993ED8

Strings

unicodedata._ucnhash_CAPI, xrefs: 00007FFDFA99266D

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Mem_$Capsule_Err_FreeMallocMemory
String ID: unicodedata._ucnhash_CAPI
API String ID: 3673501854-3989975041
Opcode ID: 89b48c636968bcc96ff5c1323bcf06e5fb317347bf56e69214e0fa8ba2ac5adf
Instruction ID: 3c6473db594e42c2fc08e21c88d0700ccfbfaed2465757146215adb96ec88f2d
Opcode Fuzzy Hash: 89b48c636968bcc96ff5c1323bcf06e5fb317347bf56e69214e0fa8ba2ac5adf
Instruction Fuzzy Hash: D7F01D21B09B46B5FF195B51A46487A63A8BF1C789FC81476C96E867ECEF3CE0488300

Function 00007FFDFAB4AB30 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 381COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FFDFAB4ABCF

Strings

vtable constructor failed: %s, xrefs: 00007FFDFAB4AD1B
vtable constructor did not declare schema: %s, xrefs: 00007FFDFAB4AE4A
hidden, xrefs: 00007FFDFAB4AF8D
vtable constructor called recursively: %s, xrefs: 00007FFDFAB4ACD6

Memory Dump Source

Source File: 00000001.00000002.1790722712.00007FFDFAAB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 00007FFDFAAB0000, based on PE: true

Associated: 00000001.00000002.1790701930.00007FFDFAAB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792020766.00007FFDFAC0B000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792149222.00007FFDFAC10000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaab0000_dipwo1iToJ.jbxd

Similarity

API ID: memcpy
String ID: hidden$vtable constructor called recursively: %s$vtable constructor did not declare schema: %s$vtable constructor failed: %s
API String ID: 3510742995-1299490920
Opcode ID: 2623641340c733b794af5866e5bcb4bdb6316ec65f5e7f2dcf12a73dcdb92bb2
Instruction ID: 02c88d46f5424e8872825ecd2db5d1f5a36fbe8bff5236b0b2f9723c823101ac
Opcode Fuzzy Hash: 2623641340c733b794af5866e5bcb4bdb6316ec65f5e7f2dcf12a73dcdb92bb2
Instruction Fuzzy Hash: A1F11B22B08B8281EB598F11D060B7A77A0FB44B94F9482BADE6E477D9DF3CE545C300

Function 00007FFDFAAD5C10 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 311COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFDFAAD5D24
memset.VCRUNTIME140 ref: 00007FFDFAAD5EB7

Strings

database corruption, xrefs: 00007FFDFAAD605E
%s at line %d of [%.10s], xrefs: 00007FFDFAAD606A
831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FFDFAAD6051

Memory Dump Source

Source File: 00000001.00000002.1790722712.00007FFDFAAB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 00007FFDFAAB0000, based on PE: true

Associated: 00000001.00000002.1790701930.00007FFDFAAB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792020766.00007FFDFAC0B000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792149222.00007FFDFAC10000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaab0000_dipwo1iToJ.jbxd

Similarity

API ID: memset
String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
API String ID: 2221118986-3764764234
Opcode ID: ba5d2802316911a7491cadce116daa97ccd6123211c9d747203731b79c4598ca
Instruction ID: 940e13d9475137233c59498f06e4a72c050a83a452329e2ee4b38d57f48cf52c
Opcode Fuzzy Hash: ba5d2802316911a7491cadce116daa97ccd6123211c9d747203731b79c4598ca
Instruction Fuzzy Hash: D4D1C17370878686D768DF26D024AA977A8FB88B84F558076DF9D47798DF38D44AC300

Function 00007FFDFAAD6C20 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 191COMMON

Download Yara Rule

Strings

database corruption, xrefs: 00007FFDFAAD6CDF
%s at line %d of [%.10s], xrefs: 00007FFDFAAD6CE6
831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0, xrefs: 00007FFDFAAD6CCC

Memory Dump Source

Source File: 00000001.00000002.1790722712.00007FFDFAAB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 00007FFDFAAB0000, based on PE: true

Associated: 00000001.00000002.1790701930.00007FFDFAAB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792020766.00007FFDFAC0B000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792149222.00007FFDFAC10000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaab0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
API String ID: 0-3764764234
Opcode ID: d7bbc113d95c405dff7a55cfefdeaeb98036685461038bdd9bca21eed79271cd
Instruction ID: 6aa08f3202f88e7391578588758413b916747d8b98c3fcef648c6093d2f3b878
Opcode Fuzzy Hash: d7bbc113d95c405dff7a55cfefdeaeb98036685461038bdd9bca21eed79271cd
Instruction Fuzzy Hash: 8B81E622B086D15ADB28CB25D1A0ABD7BA0FB40B84F044176DBED476C9DF3CE45AC750

Function 00007FFDFA991EF0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312(?,?,?,?,?,00007FFDFA991EDC), ref: 00007FFDFA993B31

Part of subcall function 00007FFDFA991FD0: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFA992008
Part of subcall function 00007FFDFA991FD0: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFA992026

PyErr_Format.PYTHON312 ref: 00007FFDFA991F53

Strings

name too long, xrefs: 00007FFDFA993B27
undefined character name '%s', xrefs: 00007FFDFA991F46

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Err_strncmp$FormatString
String ID: name too long$undefined character name '%s'
API String ID: 3882229318-4056717002
Opcode ID: fe9fd46e1f898954a40cc435b1b2d9c6909a3f099c322250393b7a83e7c0a7cf
Instruction ID: 5197ca66aa711716471240d363486a7e95d731969f83f1395681d761b43b7675
Opcode Fuzzy Hash: fe9fd46e1f898954a40cc435b1b2d9c6909a3f099c322250393b7a83e7c0a7cf
Instruction Fuzzy Hash: D1112176B1894BE1EB448F14E4A4AB96364FB9C78CFD00471CA2E862E8DF6DD54AC700

Function 00007FFDFAABDBB0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 249COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFDFAABDC3C

Strings

%s-shm, xrefs: 00007FFDFAABDC53
winOpenShm, xrefs: 00007FFDFAABDE49
readonly_shm, xrefs: 00007FFDFAABDDDA

Memory Dump Source

Source File: 00000001.00000002.1790722712.00007FFDFAAB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 00007FFDFAAB0000, based on PE: true

Associated: 00000001.00000002.1790701930.00007FFDFAAB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792020766.00007FFDFAC0B000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792149222.00007FFDFAC10000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaab0000_dipwo1iToJ.jbxd

Similarity

API ID: memset
String ID: %s-shm$readonly_shm$winOpenShm
API String ID: 2221118986-2815843928
Opcode ID: 8d2a6488cfe544708466a8bb6c48c74f0afd239d4f67e3118775d9e63ad55e06
Instruction ID: b66be408215a0316388190e319896042f6847a5d4f5c61f15b6f03a19a9f29fd
Opcode Fuzzy Hash: 8d2a6488cfe544708466a8bb6c48c74f0afd239d4f67e3118775d9e63ad55e06
Instruction Fuzzy Hash: 5BC14D25B0DA5285EB5D9B21E470A7D33B0BF44B94F4881B6DA7E862D8DF3CE44AC350

Function 00007FFDFAB35C50 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 197COMMON

Download Yara Rule

Strings

column%d, xrefs: 00007FFDFAB35E58
%s.%s, xrefs: 00007FFDFAB35DCE
rowid, xrefs: 00007FFDFAB35DAE

Memory Dump Source

Source File: 00000001.00000002.1790722712.00007FFDFAAB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 00007FFDFAAB0000, based on PE: true

Associated: 00000001.00000002.1790701930.00007FFDFAAB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792020766.00007FFDFAC0B000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792149222.00007FFDFAC10000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaab0000_dipwo1iToJ.jbxd

Similarity

API ID:
String ID: %s.%s$column%d$rowid
API String ID: 0-1505470444
Opcode ID: d1fe2ab18ba4c5494ba92163807286c015e8439aac513501ae0b7842bd63adfc
Instruction ID: 5bd8689ad2a6cf2f3497ecd3e9ec0db122c490586b9350d4b31ece9495909986
Opcode Fuzzy Hash: d1fe2ab18ba4c5494ba92163807286c015e8439aac513501ae0b7842bd63adfc
Instruction Fuzzy Hash: 24919C72B08B8189EB68DB15D4647A963A8FB45BA4F944366DEBC473C8DF38D485C300

Function 00007FFDFA991FD0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFA992008
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFA992026

Strings

CJK UNIFIED IDEOGRAPH-, xrefs: 00007FFDFA99201C
HANGUL SYLLABLE , xrefs: 00007FFDFA991FF5

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: strncmp
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 1114863663-87138338
Opcode ID: d800521c55394c3ad25b6a38125f6762d0e11982fd6218b3e6ef33505340922b
Instruction ID: e6f48bf7e82ede682b57316a9a77682f7e328b11ef19c7737573888e1be41a1c
Opcode Fuzzy Hash: d800521c55394c3ad25b6a38125f6762d0e11982fd6218b3e6ef33505340922b
Instruction Fuzzy Hash: 5461F772B1864256F7688A19A850A7A7252EB88B98FC44275EA7DC7BDDEF3CD4018700

Function 00007FFDFA994B18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FFDFA994B68
PyUnicode_FromString.PYTHON312 ref: 00007FFDFA994B85

Strings

no such name, xrefs: 00007FFDFA994B5E

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: String$Err_FromUnicode_
String ID: no such name
API String ID: 3678473424-4211486178
Opcode ID: ac25febba8f5bdc0c9cfa2e9817e8debf067cef10677f4d15bb58f151aba3dd9
Instruction ID: 0b7a02c91e0f9e3d2736bd282f231472441c45838ed95f4e584401a3c397dac8
Opcode Fuzzy Hash: ac25febba8f5bdc0c9cfa2e9817e8debf067cef10677f4d15bb58f151aba3dd9
Instruction Fuzzy Hash: BA01127171D642A1FB658B21E8B0BA92294BB9C78CF840071DA5E867E8DF2CE119C700

Function 00007FFDFA9925C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_PyObject_GC_New.PYTHON312(?,?,00000000,00007FFDFA992533), ref: 00007FFDFA9925C6
PyObject_GC_Track.PYTHON312(?,?,00000000,00007FFDFA992533), ref: 00007FFDFA9925F8

Strings

3.2.0, xrefs: 00007FFDFA9925D4

Memory Dump Source

Source File: 00000001.00000002.1790239989.00007FFDFA991000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FFDFA990000, based on PE: true

Associated: 00000001.00000002.1790215466.00007FFDFA990000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA995000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFA9F2000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA3E000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA42000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA47000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790259151.00007FFDFAA9F000.00000002.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790619887.00007FFDFAAA2000.00000004.00000001.01000000.0000001A.sdmpDownload File
Associated: 00000001.00000002.1790657853.00007FFDFAAA4000.00000002.00000001.01000000.0000001A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa990000_dipwo1iToJ.jbxd

Similarity

API ID: Object_$Track
String ID: 3.2.0
API String ID: 16854473-1786766648
Opcode ID: f91d149df4c654f8be0df0ef2da4b36c9d06b56ee9d54162962ccaca08fa2000
Instruction ID: a82899de7ad601a6e0fd5bd295d44f3155c66dd5037de511ac91e3a525926571
Opcode Fuzzy Hash: f91d149df4c654f8be0df0ef2da4b36c9d06b56ee9d54162962ccaca08fa2000
Instruction Fuzzy Hash: F3E0ED64B55B02B1FF298B11E86446523A8BF1C748B9401B6CD6D82398EF3CE1A8C240

Function 00007FFDFAAFABE0 Relevance: 5.2, APIs: 4, Instructions: 223COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00007FFDFAAF532C), ref: 00007FFDFAAFAD4A
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00007FFDFAAF532C), ref: 00007FFDFAAFAD75
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00007FFDFAAF532C), ref: 00007FFDFAAFAD91
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00007FFDFAAF532C), ref: 00007FFDFAAFADD6

Memory Dump Source

Source File: 00000001.00000002.1790722712.00007FFDFAAB1000.00000020.00000001.01000000.00000017.sdmp, Offset: 00007FFDFAAB0000, based on PE: true

Associated: 00000001.00000002.1790701930.00007FFDFAAB0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1791797724.00007FFDFABDE000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792020766.00007FFDFAC0B000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 00000001.00000002.1792149222.00007FFDFAC10000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfaab0000_dipwo1iToJ.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 063867daf08dc840c18da87f71504e9cfd181ef9bf5db64338ac6d78780bbdb1
Instruction ID: 8f1a0e13bde6b1665ee109442d944172e8e3b086aea4909abc996287cc19ff38
Opcode Fuzzy Hash: 063867daf08dc840c18da87f71504e9cfd181ef9bf5db64338ac6d78780bbdb1
Instruction Fuzzy Hash: 4791B132B19B8286E76D8A159160AAA77A0FB44BD0F048175EE6D47BCDEF3CD4568700

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dipwo1iToJ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_ARC4.pyd

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_Salsa20.pyd

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_chacha20.pyd

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_pkcs1_decode.pyd

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_aes.pyd

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_aesni.pyd

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_arc2.pyd

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_blowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_cast.pyd

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_cbc.pyd

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_cfb.pyd

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ctr.pyd

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_des.pyd

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_des3.pyd

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ecb.pyd

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_eksblowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ocb.pyd

C:\Users\user\AppData\Local\Temp\_MEI68642\Crypto\Cipher\_raw_ofb.pyd

Windows Analysis Report
dipwo1iToJ.exe