Edit tour

Windows Analysis Report
check.exe

Overview

General Information

Sample name:	check.exe
Analysis ID:	1570419
MD5:	00152720a2c1c6969e3581e2dabc6702
SHA1:	0e8926af0ed2d77f193775e682f0a17b7e11b9a1
SHA256:	be4bee2fede8b2fac9d205b935ae47505b5168f675650f520bbe444a2e30f75f
Tags:	exeuser-x3ph1
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Opens network shares

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

IP address seen in connection with other malware

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

check.exe (PID: 180 cmdline: "C:\Users\user\Desktop\check.exe" MD5: 00152720A2C1C6969E3581E2DABC6702)

check.exe (PID: 2428 cmdline: "C:\Users\user\Desktop\check.exe" MD5: 00152720A2C1C6969E3581E2DABC6702)

cmd.exe (PID: 6640 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6388 cmdline: wmic computersystem get manufacturer MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WerFault.exe (PID: 5988 cmdline: C:\Windows\system32\WerFault.exe -u -p 2428 -s 920 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Code function: 0_2_00007FF7D43B76C0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF7D43B76C0

Source: C:\Users\user\Desktop\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\sip.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5QmlModels.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\opengl32sw.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5WebSockets.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\python313.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Quick.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5DBus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Qml.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Svg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI1802\_queue.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\check.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-18384

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer FROM Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43B9280 FindFirstFileExW,FindClose,	0_2_00007FF7D43B9280
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43B83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF7D43B83C0
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43D1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7D43D1874
Source: C:\Users\user\Desktop\check.exe	Code function: 2_2_00007FF7D43B9280 FindFirstFileExW,FindClose,	2_2_00007FF7D43B9280

Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI1802\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\	Jump to behavior

Source: check.exe, 00000000.00000003.2054109594.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: check.exe, 00000002.00000003.2073047959.00000171254A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V #
Source: check.exe, 00000002.00000002.2524357911.00000171256E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: $fQEMU
Source: check.exe, 00000002.00000003.2073047959.00000171254A6000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2074043295.00000171254A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: check.exe, 00000002.00000003.2073266868.0000017125544000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2074043295.00000171254A6000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2074570698.0000017125542000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2074452924.0000017125535000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: check.exe, 00000002.00000002.2532320119.00007FF8A6BD8000.00000008.00000001.01000000.0000001E.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: C:\Users\user\Desktop\check.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\check.exe

Code function: 0_2_00007FF7D43CA614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7D43CA614

Source: C:\Users\user\Desktop\check.exe

Code function: 0_2_00007FF7D43D3480 GetProcessHeap,

0_2_00007FF7D43D3480

Source: C:\Users\user\Desktop\check.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43CA614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7D43CA614
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43BC8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7D43BC8A0
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43BD12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7D43BD12C
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43BD30C SetUnhandledExceptionFilter,	0_2_00007FF7D43BD30C
Source: C:\Users\user\Desktop\check.exe	Code function: 2_2_00007FF7D43CA614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF7D43CA614

Source: C:\Users\user\Desktop\check.exe	Process created: C:\Users\user\Desktop\check.exe "C:\Users\user\Desktop\check.exe"	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer	Jump to behavior

Source: C:\Users\user\Desktop\check.exe

Code function: 0_2_00007FF7D43D9570 cpuid

0_2_00007FF7D43D9570

Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\QtCore.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\sip.cp313-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\charset_normalizer\md.cp313-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\charset_normalizer\md__mypyc.cp313-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\psutil\_psutil_windows.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\QtWidgets.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\QtGui.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qminimal.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qoffscreen.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qwebgl.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qwindows.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\Desktop\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI1802 VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\check.exe

Code function: 0_2_00007FF7D43BD010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7D43BD010

Source: C:\Users\user\Desktop\check.exe

Code function: 0_2_00007FF7D43D5C00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF7D43D5C00

Stealing of Sensitive Information

Opens network shares

Source: C:\Users\user\Desktop\check.exe

File opened: \\Mac\shared\projects\loader\src\dropper\src\tmp\_main.py

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	2 System Time Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	31 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	32 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
check.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\MSVCP140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\MSVCP140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5DBus.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Gui.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Network.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Qml.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5QmlModels.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Quick.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Svg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5WebSockets.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Widgets.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\d3dcompiler_47.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\opengl32sw.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qgif.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qicns.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qico.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qsvg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qtga.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qtiff.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qwebp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qminimal.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qwebgl.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qwindows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\QtCore.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\QtGui.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\QtWidgets.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\sip.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\_wmi.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\charset_normalizer\md.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\psutil\_psutil_windows.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\python3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\python313.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI1802\unicodedata.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
http://repository.swisssign.com/E	0%	Avira URL Cloud	safe
http://repository.swisssign.com/0	0%	Avira URL Cloud	safe
http://cacerts.digi	0%	Avira URL Cloud	safe
http://ocsp.accv.es	0%	Avira URL Cloud	safe
https://wwww.certigna.fr/autorites/	0%	Avira URL Cloud	safe
http://www.color.org)	0%	Avira URL Cloud	safe
http://ocsp.accv.esO	0%	Avira URL Cloud	safe
http://repository.swisssign.com/rQ	0%	Avira URL Cloud	safe
http://www.aiim.org/pdfa/ns/id/	0%	Avira URL Cloud	safe
http://repository.swisssign.com/rQrSrT3)	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nodejs.org	104.20.22.46	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/giampaolo/psutil/issues/875.	check.exe, 00000002.00000002.2526575512.0000017126920000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/E	check.exe, 00000002.00000002.2524141342.000001712555C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/0	check.exe, 00000002.00000002.2524141342.000001712555C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nodejs.org/dist/v22.11.0/node-v22.11.0-win-x64.zip	check.exe, 00000002.00000002.2524357911.00000171256E0000.00000004.00001000.00020000.00000000.sdmp, check.exe, 00000002.00000002.2526575512.0000017126998000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	check.exe, 00000002.00000002.2523963332.00000171250A7000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2068859585.00000171250C3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2523616723.0000017123588000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2069289755.00000171250C3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file	check.exe, 00000002.00000003.2076498290.00000171259D1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	false		high
http://goo.gl/zeJZl.	check.exe, 00000002.00000002.2525176467.00000171260DC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	check.exe, 00000002.00000002.2524430915.0000017125928000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2076498290.0000017125928000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	check.exe, 00000002.00000002.2523963332.00000171250FF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/entry-points/#file-format	check.exe, 00000002.00000003.2076498290.00000171259D1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	check.exe, 00000002.00000002.2524844779.0000017125BE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cacerts.digi	check.exe, 00000000.00000003.2053458916.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peps.python.org/pep-0205/	check.exe, 00000002.00000003.2071604842.00000171254C6000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2070260521.00000171254C6000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2071108618.00000171254C6000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2067482215.00000171250A1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2069289755.00000171250C3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524287430.00000171255E0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curl.haxx.se/rfc/cookie_spec.html	check.exe, 00000002.00000002.2525066678.0000017125EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.accv.es	check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nodejs.org/dist/v22.11.0/node-v22.11.0-win-x64.zip&	check.exe, 00000002.00000002.2526575512.0000017126998000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	check.exe, 00000002.00000002.2523806883.0000017124EA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	check.exe, 00000002.00000002.2524916171.0000017125CE0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	check.exe, 00000002.00000002.2523806883.0000017124F24000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/get	check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2525176467.00000171260CC000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crlodr0	check.exe, 00000002.00000002.2524430915.0000017125842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	check.exe, 00000002.00000002.2523806883.0000017124EA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://qt.io/licensing/	qtbase_cs.qm.0.dr	false		high
https://wwww.certigna.fr/autorites/0m	check.exe, 00000002.00000002.2524430915.0000017125842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	check.exe, 00000002.00000002.2523963332.00000171250A7000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2068859585.00000171250C3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2523616723.0000017123588000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2069289755.00000171250C3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	check.exe, 00000002.00000002.2523963332.00000171250A7000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2071604842.0000017125584000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2069894042.0000017125597000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2070723164.0000017125584000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2069894042.0000017125535000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2071357779.0000017125584000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	check.exe, 00000002.00000002.2525066678.0000017125EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/	check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/	check.exe, 00000002.00000003.2103211217.0000017125B90000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	check.exe, 00000002.00000002.2523806883.0000017124EA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	check.exe, 00000002.00000002.2523806883.0000017124EA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.color.org)	check.exe, 00000002.00000002.2531739784.00007FF8A696A000.00000002.00000001.01000000.0000001E.sdmp	false	Avira URL Cloud: safe	unknown
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2076498290.0000017125985000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	check.exe, 00000002.00000002.2523963332.00000171250A7000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2068859585.00000171250C3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2523616723.0000017123588000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2069289755.00000171250C3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata	check.exe, 00000002.00000002.2524982021.0000017125DE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	check.exe, 00000002.00000003.2103211217.0000017125ABD000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125ABD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://wwwsearch.sf.net/):	check.exe, 00000002.00000003.2076498290.000001712588F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/wiki/Development-Methodology	check.exe, 00000002.00000002.2524357911.00000171256E0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm	check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	check.exe, 00000002.00000002.2524982021.0000017125DE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/	check.exe, 00000002.00000002.2524430915.0000017125928000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail	check.exe, 00000002.00000003.2103652909.0000017125A07000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2075752715.0000017125A10000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/specifications/entry-points/	check.exe, 00000002.00000002.2524916171.0000017125CE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es00	check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/psf/license/)	check.exe, 00000002.00000002.2539316123.00007FF8A8CF8000.00000002.00000001.01000000.00000004.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	check.exe, 00000002.00000003.2069289755.00000171250C3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://foss.heptapod.net/pypy/pypy/-/issues/3539	check.exe, 00000002.00000002.2524844779.0000017125BE0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	check.exe, 00000002.00000003.2075752715.0000017125A05000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125842000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/	check.exe, 00000002.00000002.2524430915.0000017125842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mahler:8092/site-updates.py	check.exe, 00000002.00000003.2075483897.0000017125AC5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl	check.exe, 00000002.00000002.2524430915.0000017125ABD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://.../back.jpeg	check.exe, 00000002.00000002.2525066678.0000017125EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc7231#section-4.3.6)	check.exe, 00000002.00000003.2073528141.0000017125929000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2073047959.00000171254A6000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2072563086.0000017125897000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2074043295.00000171254A6000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2072563086.0000017125928000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/post	check.exe, 00000002.00000003.2072623547.00000171253FB000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125842000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2072020082.0000017125544000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source	check.exe, 00000002.00000002.2523806883.0000017124F24000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/Ousret/charset_normalizer	check.exe, 00000002.00000003.2103652909.0000017125A07000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2075752715.0000017125A10000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.firmaprofesional.com/cps0	check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524141342.000001712555C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	check.exe, 00000002.00000002.2523806883.0000017124EA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2920	check.exe, 00000002.00000002.2524982021.0000017125DE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl0	check.exe, 00000002.00000002.2524430915.0000017125928000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	check.exe, 00000002.00000002.2523963332.00000171250A7000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2068859585.00000171250C3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2069289755.00000171250C3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://yahoo.com/	check.exe, 00000002.00000003.2103652909.0000017125A07000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2075752715.0000017125A10000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	check.exe, 00000002.00000002.2524430915.0000017125928000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/	check.exe, 00000002.00000003.2076498290.00000171259D1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl	check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	check.exe, 00000002.00000002.2524916171.0000017125CE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0	check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.accv.esO	check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	check.exe, 00000002.00000003.2076498290.00000171259D1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	false		high
http://qt-project.org/	qtbase_cs.qm.0.dr	false		high
https://requests.readthedocs.io	check.exe, 00000002.00000002.2525176467.00000171260A4000.00000004.00001000.00020000.00000000.sdmp, check.exe, 00000002.00000003.2072020082.0000017125544000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/	check.exe, 00000002.00000002.2524141342.000001712555C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/rQ	check.exe, 00000002.00000003.2103652909.0000017125A07000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl	check.exe, 00000002.00000002.2524430915.0000017125ABD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org	check.exe, 00000002.00000003.2072623547.00000171253FB000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125842000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2072020082.0000017125544000.00000004.00000020.00020000.00000000.sdmp	false		high
http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/	check.exe, 00000002.00000003.2103652909.0000017125A07000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2075752715.0000017125A10000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm0U	check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.aiim.org/pdfa/ns/id/	check.exe, 00000002.00000002.2531739784.00007FF8A696A000.00000002.00000001.01000000.0000001E.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.accv.es0	check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/	check.exe, 00000002.00000003.2075483897.0000017125AC5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://json.org	check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524141342.000001712555C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/howto/mro.html.	check.exe, 00000002.00000002.2524068336.00000171252E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package	check.exe, 00000002.00000002.2523806883.0000017124EA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://twitter.com/	check.exe, 00000002.00000003.2103652909.0000017125A07000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2075752715.0000017125A10000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	false		high
https://stackoverflow.com/questions/4457745#4457745.	check.exe, 00000002.00000002.2526575512.0000017126920000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps	check.exe, 00000002.00000003.2103211217.0000017125ABD000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125ABD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module	check.exe, 00000002.00000002.2523806883.0000017124F24000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/rQrSrT3)	check.exe, 00000002.00000003.2103652909.0000017125A07000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/	check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail/	check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/mail/	check.exe, 00000002.00000002.2524430915.0000017125928000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2076498290.0000017125928000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2076498290.00000171259D1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/#	check.exe, 00000002.00000003.2103652909.0000017125A07000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/3290	check.exe, 00000002.00000002.2524982021.0000017125DE0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.openssl.org/H	check.exe, 00000000.00000003.2057847160.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2535350111.00007FF8A8000000.00000002.00000001.01000000.00000014.sdmp, check.exe, 00000002.00000002.2535157227.00007FF8A7F24000.00000002.00000001.01000000.00000015.sdmp	false		high
http://crl.certigna.fr/certignarootca.crl01	check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125842000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.20.22.46	nodejs.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1570419
Start date and time:	2024-12-07 00:00:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	check.exe
Detection:	MAL
Classification:	mal48.spyw.winEXE@9/142@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 74% Number of executed functions: 62 Number of non-executed functions: 79
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.
VT rate limit hit for: check.exe

Simulations

Behavior and APIs

Time	Type	Description
18:01:05	API Interceptor	1x Sleep call for process: check.exe modified
18:01:05	API Interceptor	1x Sleep call for process: WMIC.exe modified
18:01:46	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.20.22.46	sDKRz09zM7.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	kwlYObMOSn.exe	Get hash	malicious	XWorm	Browse
	8Hd0ZExgJz.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse
	IM3OLcx7li.exe	Get hash	malicious	XWorm	Browse
	cgqdM4IA7C.exe	Get hash	malicious	XWorm	Browse
	hKWBNgRd7p.exe	Get hash	malicious	XWorm	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse
	RHUENHera1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	SecuriteInfo.com.Win32.MalwareX-gen.6231.15153.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nodejs.org	az10.exe	Get hash	malicious	Unknown	Browse	104.20.23.46
	sDKRz09zM7.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.22.46
	kwlYObMOSn.exe	Get hash	malicious	XWorm	Browse	104.20.22.46
	bootstraper.exe	Get hash	malicious	Unknown	Browse	104.20.23.46
	bootstraper.exe	Get hash	malicious	Unknown	Browse	104.20.23.46
	8Hd0ZExgJz.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	104.20.22.46
	KKjubdmzCR.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.20.23.46
	AYUGPPBj0x.exe	Get hash	malicious	DCRat	Browse	104.20.23.46
	IM3OLcx7li.exe	Get hash	malicious	XWorm	Browse	104.20.22.46
	SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe	Get hash	malicious	Blank Grabber	Browse	104.20.23.46

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	TECHNICAL SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	https://www.scribd.com/document/801519291/Advice-Notification#fullscreen&from_embed	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	a9YMw44iQq.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	172.67.19.24
	nlGOh9K5X5.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	Fw Your flight has been cancelled.eml	Get hash	malicious	Unknown	Browse	104.17.247.203
	https://login.officeteam.didgim.com/factpath/resources/patch/047620476204762098/?tpj=PlKRhyZP6wwT3cO_YX5-vBD5GuXYTvvU?SehS24G3uU3qw64njI8IZH7gQJoi5rbp7C2uDZbPGel89LOXSbLkxzcBkcMiAnricyOgDlVZzgK16brTMbOGyuYoLIN4U0HH714J	Get hash	malicious	ReCaptcha Phish	Browse	104.16.124.96
	Distribution Agreement -21_12_48-December 6, 2024-be1f31b3a4b24beb88d27adfd723203e.pdf	Get hash	malicious	Unknown	Browse	1.1.1.1
	Doc_21-04-53.js	Get hash	malicious	Matanbuchus	Browse	104.21.40.3

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\MSVCP140.dll	az10.exe	Get hash	malicious	Unknown	Browse
	Update_4112024.exe	Get hash	malicious	Unknown	Browse
	Update_4112024.exe	Get hash	malicious	Unknown	Browse
	PyQtScrcpy.exe	Get hash	malicious	Unknown	Browse
	PyQtScrcpy.exe	Get hash	malicious	Unknown	Browse
	active.exe	Get hash	malicious	Unknown	Browse
	PumpBotPremium.msi	Get hash	malicious	Python Stealer	Browse
	Bypass Apk.exe	Get hash	malicious	Unknown	Browse
	Bypass Apk.exe	Get hash	malicious	Unknown	Browse
	https://github.com/VioletteChiara/AnimalTA/releases/download/v3.2.2/AnimalTA_installer_v3.2.2.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_check.exe_f58d6737a278c17bbf3304669ee8828e0d15e7d_9c0b4d08_57770ad5-1995-4a7d-b8a3-fe7692bfa17c\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3485307473024741
Encrypted:	false
SSDEEP:	192:loWoCrjTu6WS0PRjajoRXj0xMBkoY3K6/NQVXF03snqhtob/wnGkYzQTcVIcv1Sc:ZoCrjSTZPRjaj8nwntIRzuiFQY4lO8M
MD5:	219270CAAEFAA93EE14A396AB2704F45
SHA1:	7E4339F3C8478987CE9761BDB7A845601D4217D2
SHA-256:	991640D877CD6203DDCD252330DB48C21A04FBFAD004290A443D4B73BBAB24D4
SHA-512:	873ECD1756F429C36A623F3F7BDB107BF01627F69ADFD27BE3A482D3C302A6313A2F05C426A1A595ACDB1D98E3772AAB91768ECA282BE55AF36F513891479376
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.9.9.9.6.7.0.6.8.6.5.4.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.9.9.9.6.7.1.2.1.7.7.9.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.7.7.7.0.a.d.5.-.1.9.9.5.-.4.a.7.d.-.b.8.a.3.-.f.e.7.6.9.2.b.f.a.1.7.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.4.7.a.6.5.8.-.d.0.3.5.-.4.e.f.d.-.8.9.3.9.-.1.e.9.5.c.f.3.e.9.4.7.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.c.h.e.c.k...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.7.c.-.0.0.0.1.-.0.0.1.4.-.f.c.6.5.-.2.2.b.8.3.2.4.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.b.1.a.f.4.6.6.8.3.f.b.2.3.d.a.2.6.a.4.8.5.2.8.1.6.7.c.0.9.2.2.0.0.0.0.f.f.f.f.!.0.0.0.0.f.2.5.9.9.8.8.8.5.a.e.0.c.f.7.b.d.e.0.3.3.2.8.a.5.2.9.7.a.d.8.8.f.c.c.4.2.8.0.0.!.c.h.e.c.k...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.2././.0.5.:.0.6.:.2.4.:.3.2.!.2.4.f.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F04.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Dec 6 23:01:10 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	131372
Entropy (8bit):	2.0660187988771215
Encrypted:	false
SSDEEP:	384:Q5K0ubHEVC3hEaAnB30sglZee2pE5e1+JJ2EgfN/bDf:Q5K0ubkixAnd0sg9wQ3XgV/vf
MD5:	2BCBD590780141534D81287A38B770C7
SHA1:	ABB4F73D17C2101F71723C83CE0D076CAAFB6996
SHA-256:	8B511D2DEE8A1DAB3DA6029238A4F5B9E82B0301884AE390CDC52A18E978A60D
SHA-512:	21890ECD450557859E8190AE75A3316755FCC4E9D57186253107E53CF768A33F3431632815E1B938ADA0138E3B55ED6185CE8B6A9286ADE44D07B6BEAC52913B
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......6.Sg............$............%..8.......$....-...........\..........`.......8...........T............%..L............-.........../..............................................................................eJ......p0......Lw......................T.......\|...-.Sg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER503E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9590
Entropy (8bit):	3.7065991462573433
Encrypted:	false
SSDEEP:	192:R6l7wVeJ7++6Y2hSjcgmfSEpDT89bDiYfvQBm:R6lXJy+6YQSjcgmfS9Ddfvr
MD5:	8D96671D5DA2DEF4A81ABFCDF93194CE
SHA1:	E3477B1CB4CCC943C922F810156BE109E8302ACB
SHA-256:	1E5A1612E6D82D6714A192F4DE4DCA63F17648919E3476C91F9FBB9B9BE508C4
SHA-512:	833C4BAEAFA22A92D86F99B22C486D53C7385C7CC21535E61CDD91E217384E4CCB96538428695A5BA28CACD32530220803522F0356587070FAAB62628D528E67
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.4.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER505E.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4735
Entropy (8bit):	4.434102037674226
Encrypted:	false
SSDEEP:	48:cvIwWl8zsjJg771I9QjWpW8VYhYm8M4JvWDFPyq8vuWYMZ9T1S7d:uIjf9I73S7VhJOBW3YMDT1S7d
MD5:	A096DE4BD5FDC794C511C8123DE9AEB7
SHA1:	8C874F3E79DA868BE108DD8D65AE983F558C9B65
SHA-256:	AEABB3F14B74F43288373024B8640C1F7A74C9DEDA1CE11F655C9E5CF6102661
SHA-512:	B6712F2C46AB22B44F7692838D319E835770A455299B1A84A9B58396860AEBABC4C1BFDA464C6E1DC8090CE0576D32E94512B4390A09A8EC3C033575D9E5B681
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="620043" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\MSVCP140.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	590112
Entropy (8bit):	6.461874649448891
Encrypted:	false
SSDEEP:	12288:xI88L4Wu4+oJ+xc39ax5Ms4ETs3rxSvYcRkdQEKZm+jWodEEVh51:xD89rxZfQEKZm+jWodEEP5
MD5:	01B946A2EDC5CC166DE018DBB754B69C
SHA1:	DBE09B7B9AB2D1A61EF63395111D2EB9B04F0A46
SHA-256:	88F55D86B50B0A7E55E71AD2D8F7552146BA26E927230DAF2E26AD3A971973C5
SHA-512:	65DC3F32FAF30E62DFDECB72775DF870AF4C3A32A0BF576ED1AAAE4B16AC6897B62B19E01DC2BF46F46FBE3F475C061F79CBE987EDA583FEE1817070779860E5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: az10.exe, Detection: malicious, Browse Filename: Update_4112024.exe, Detection: malicious, Browse Filename: Update_4112024.exe, Detection: malicious, Browse Filename: PyQtScrcpy.exe, Detection: malicious, Browse Filename: PyQtScrcpy.exe, Detection: malicious, Browse Filename: active.exe, Detection: malicious, Browse Filename: PumpBotPremium.msi, Detection: malicious, Browse Filename: Bypass Apk.exe, Detection: malicious, Browse Filename: Bypass Apk.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........LS..-=..-=..-=.....-=..U...-=..-<.k-=.gB<..-=.gB9..-=.gB>..-=.gB8.=-=.gB=..-=.gB..-=.gB?..-=.Rich.-=.........PE..d.....t^.........." .....@..........."...............................................z....`A.........................................j..h....D..,...............L;...... A......(...@...8...............................0............P.......f..@....................text...,>.......@.................. ..`.rdata..r....P.......D..............@..@.data....:...`..."...N..............@....pdata..L;.......<...p..............@..@.didat..h...........................@....rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\MSVCP140_1.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31728
Entropy (8bit):	6.499754548353504
Encrypted:	false
SSDEEP:	384:rOY/H1SbuIqnX8ndnWc95gW3C8c+pBj0HRN7bULkcyHRN7rxTO6iuQl9xiv:yYIBqnMdxxWd4urv
MD5:	0FE6D52EB94C848FE258DC0EC9FF4C11
SHA1:	95CC74C64AB80785F3893D61A73B8A958D24DA29
SHA-256:	446C48C1224C289BD3080087FE15D6759416D64F4136ADDF30086ABD5415D83F
SHA-512:	C39A134210E314627B0F2072F4FFC9B2CE060D44D3365D11D8C1FE908B3B9403EBDD6F33E67D556BD052338D0ED3D5F16B54D628E8290FD3A155F55D36019A86
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.{.zl..zl..zl......xl..s...~l.....}l.....xl..zl..Ql......l.....il.....{l.....{l.....{l..Richzl..................PE..d.....t^.........." .........$......p.....................................................`A........................................p>..L....?..x....p.......`..X....:...A......p...P3..8............................3..0............0..@............................text............................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..X....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Core.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6023664
Entropy (8bit):	6.768988071491288
Encrypted:	false
SSDEEP:	98304:hcirJylHYab/6bMJsv6tWKFdu9CLiZxqfg8gwf:+irJylHFb/QMJsv6tWKFdu9CL4xqfg8x
MD5:	817520432A42EFA345B2D97F5C24510E
SHA1:	FEA7B9C61569D7E76AF5EFFD726B7FF6147961E5
SHA-256:	8D2FF4CE9096DDCCC4F4CD62C2E41FC854CFD1B0D6E8D296645A7F5FD4AE565A
SHA-512:	8673B26EC5421FCE8E23ADF720DE5690673BB4CE6116CB44EBCC61BBBEF12C0AD286DFD675EDBED5D8D000EFD7609C81AAE4533180CF4EC9CD5316E7028F7441
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......D.............................UJ......................................................W.....,..................r....................Rich............PE..d...;._.........." ..........-.......-......................................`\.....x.\...`...........................................L..O....T...... \.......U.. ....[......0\..%..,.H.T.....................H.(.....H.0............./.H............................text............................... ..`.rdata..F7%.../..8%.................@..@.data...x....PT..\...6T.............@....pdata... ....U.."....T.............@..@.qtmimed.....0W.......V.............@..P.rsrc........ \.......[.............@..@.reloc...%...0\..&....[.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5DBus.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	436720
Entropy (8bit):	6.392610185061176
Encrypted:	false
SSDEEP:	6144:ZLvnUJ17UTGOkWHUe/W9TgYMDu96ixMZQ8IlXbKgp8aIDeN:KP7cGOGegTwu96ixMZQtlrPN
MD5:	0E8FF02D971B61B5D2DD1AC4DF01AE4A
SHA1:	638F0B46730884FA036900649F69F3021557E2FE
SHA-256:	1AA70B106A10C86946E23CAA9FC752DC16E29FBE803BBA1F1AB30D1C63EE852A
SHA-512:	7BA616EDE66B16D9F8B2A56C3117DB49A74D59D0D32EAA6958DE57EAC78F14B1C7F2DBBA9EAE4D77937399CF14D44535531BAF6F9DB16F357F8712DFAAE4346A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D..............+...../............).....+...O.+....+....O./...O....O..........O.(...Rich..........................PE..d...]._.........." .....\...<.......\..............................................K.....`..........................................h..to...................`...Q..............4.......T.......................(...`...0............p...............................text...yZ.......\.................. ..`.rdata..0....p.......`..............@..@.data...X....@......."..............@....pdata...Q...`...R...2..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Gui.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7008240
Entropy (8bit):	6.674290383197779
Encrypted:	false
SSDEEP:	49152:9VPhJZWVvpg+za3cFlc61j2VjBW77I4iNlmLPycNRncuUx24LLsXZFC6FOCfDt2/:BJZzI1ZR3U9Cxc22aDACInVc4Z
MD5:	47307A1E2E9987AB422F09771D590FF1
SHA1:	0DFC3A947E56C749A75F921F4A850A3DCBF04248
SHA-256:	5E7D2D41B8B92A880E83B8CC0CA173F5DA61218604186196787EE1600956BE1E
SHA-512:	21B1C133334C7CA7BBBE4F00A689C580FF80005749DA1AA453CCEB293F1AD99F459CA954F54E93B249D406AEA038AD3D44D667899B73014F884AFDBD9C461C14
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......QH^~.)0-.)0-.)0-.Q.-.)0-...-.)0-.F4,.)0-.F3,.)0-.F5,.)0-.F1,.)0-.Y1,.)0-.B5,.)0-.B1,.)0-.)1-m,0-.Y4,.)0-.Y5,\|(0-.Y0,.)0-.Y.-.)0-.).-.)0-.Y2,.)0-Rich.)0-................PE..d....._.........." ......?...+.....X.?.......................................k.....R.k...`.........................................pKK.....d.e.\|....`k.......g.......j......pk..6....F.T................... .F.(.....F.0.............?.p+...........................text...2.?.......?................. ..`.rdata...z&...?..\|&...?.............@..@.data....o... f.......f.............@....pdata........g.......f.............@..@.rsrc........`k.......j.............@..@.reloc...6...pk..8....j.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Network.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1340400
Entropy (8bit):	6.41486755163134
Encrypted:	false
SSDEEP:	24576:eXPn73RXox1U9M0m+1ffSDY565RzHUY1iaRy95hdGehEM:+7hXU1U95m4ff9A5RviaRy9NGI
MD5:	3569693D5BAE82854DE1D88F86C33184
SHA1:	1A6084ACFD2AA4D32CEDFB7D9023F60EB14E1771
SHA-256:	4EF341AE9302E793878020F0740B09B0F31CB380408A697F75C69FDBD20FC7A1
SHA-512:	E5EFF4A79E1BDAE28A6CA0DA116245A9919023560750FC4A087CDCD0AB969C2F0EEEC63BBEC2CD5222D6824A01DD27D2A8E6684A48202EA733F9BB2FAB048B32
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........Yt..7'..7'..7'...'..7'..3&..7'}.3&..7'}.4&..7'}.2&..7'}.6&..7'..6&..7'0.6&..7'..6'c.7'0.2&2.7'0.7&..7'0..'..7'...'..7'0.5&..7'Rich..7'........................PE..d....._.........." .................................................................c....`......................................... ....n..,...h....................X..........,.......T...................p...(...@...0............................................text...C........................... ..`.rdata...g.......h..................@..@.data...XN...@...2... ..............@....pdata...............R..............@..@.rsrc................>..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Qml.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3591664
Entropy (8bit):	6.333693598000157
Encrypted:	false
SSDEEP:	98304:iPnt09+kVh2NrSdSG779LLLS/o/L4YqoY0Xba+mRRH2T:iPnt2ZVhT
MD5:	D055566B5168D7B1D4E307C41CE47C4B
SHA1:	043C0056E9951DA79EC94A66A784972532DC18EF
SHA-256:	30035484C81590976627F8FACE9507CAA8581A7DC7630CCCF6A8D6DE65CAB707
SHA-512:	4F12D17AA8A3008CAA3DDD0E41D3ED713A24F9B5A465EE93B2E4BECCF876D5BDF0259AA0D2DD77AD61BB59DC871F78937FFBE4D0F60638014E8EA8A27CAF228D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.4...Z...Z...Z......Z..^...Z..Y...Z.._...Z..[...Z...[...Z...[...Z...[...Z..._...Z...Z...Z.......Z......Z...X...Z.Rich..Z.........PE..d......_.........." .....^$..........O$.......................................7.....}.7...`...........................................,......2.......6.......4. .....6.......6..J....).T.....................).(...p.).0............p$..%...........................text....\$......^$................. ..`.rdata......p$......b$.............@..@.data.........3..n....2.............@....pdata.. .....4......l4.............@..@.rsrc.........6......`6.............@..@.reloc...J....6..L...f6.............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5QmlModels.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	438768
Entropy (8bit):	6.312090336793804
Encrypted:	false
SSDEEP:	6144:k1tE6lq982HdyuEZ5gw+VHDZjZ0yOWm7Vdcm4GyasLCZCu6vdQp:k1tEuq9Hdyuo5gwguyOtVIup
MD5:	2030C4177B499E6118BE5B9E5761FCE1
SHA1:	050D0E67C4AA890C80F46CF615431004F2F4F8FC
SHA-256:	51E4E5A5E91F78774C44F69B599FAE4735277EF2918F7061778615CB5C4F6E81
SHA-512:	488F7D5D9D8DEEE9BBB9D63DAE346E46EFEB62456279F388B323777999B597C2D5AEA0EE379BDF94C9CBCFD3367D344FB6B5E90AC40BE2CE95EFA5BBDD363BCC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..<...<...<...5.H.4...(...>.......*.......4.......8.......8......9...<...g....../......=....$.=...<.L.=......=...Rich<...................PE..d...M.._.........." .....(...r......d+..............................................MF....`.........................................0E...^..0................`.. F..................H...T.......................(.......0............@...............................text...N&.......(.................. ..`.rdata.......@.......,..............@..@.data...x/...0...(..................@....pdata.. F...`...H...>..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Quick.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4148720
Entropy (8bit):	6.462183686222023
Encrypted:	false
SSDEEP:	49152:EcDwCQsvkBD+ClI3IAVLA7Tr15SokomoqxQhT2bAssCFEUGX5ig:E7CKPsA3p0Z/QV/sS3Ag
MD5:	65F59CFC0C1C060CE20D3B9CEFFBAF46
SHA1:	CFD56D77506CD8C0671CA559D659DAB39E4AD3C2
SHA-256:	C81AD3C1111544064B1830C6F1AEF3C1FD13B401546AB3B852D697C0F4D854B3
SHA-512:	D6F6DC19F1A0495026CBA765B5A2414B6AF0DBFC37B5ACEED1CD0AE37B3B0F574B759A176D75B01EDD74C6CE9A3642D3D29A3FD7F166B53A41C8978F562B4B50
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!Fvge'.4e'.4e'.4l_.4i'.4.H.5m'.4.H.5a'.4.H.5\|'.4.H.5c'.4.W.5o'.4qL.5`'.4e'.4.,.4.W.5.'.4.W.5d'.4.W.4d'.4e'.4d'.4.W.5d'.4Riche'.4........................PE..d......_.........." ......%..B......L.$.......................................?.......?...`.........................................0)2.P.....8.T.....>.......<..^...2?.......?.py......T.......................(.......0............ %..\...........................text.....%.......%................. ..`.rdata....... %.......%.............@..@.data....I...@;..2... ;.............@....pdata...^....<..`...R<.............@..@.rsrc.........>.......>.............@..@.reloc..py....?..z....>.............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Svg.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	330736
Entropy (8bit):	6.381828869454302
Encrypted:	false
SSDEEP:	6144:6qLZcTC3wR/0JNZ+csBkBv0L0hq+SvcO8MsvwbIeblsjTR:6qNcCwqHE2fYlsPR
MD5:	03761F923E52A7269A6E3A7452F6BE93
SHA1:	2CE53C424336BCC8047E10FA79CE9BCE14059C50
SHA-256:	7348CFC6444438B8845FB3F59381227325D40CA2187D463E82FC7B8E93E38DB5
SHA-512:	DE0FF8EBFFC62AF279E239722E6EEDD0B46BC213E21D0A687572BFB92AE1A1E4219322233224CA8B7211FFEF52D26CB9FE171D175D2390E3B3E6710BBDA010CB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............_._._..*_._,.^._..^._,.^._,.^._,.^._a.^._._=.._a.^._a.^._a.F_._.._._a.^._Rich._................PE..d......_.........." .........................................................@.......^....`.................................................((....... ...........0...........0..H...xL..T....................N..(....L..0............................................text............................... ..`.rdata..p...........................@..@.data...8...........................@....pdata...0.......2..................@..@.rsrc........ ......................@..@.reloc..H....0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5WebSockets.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	149488
Entropy (8bit):	6.116105454277536
Encrypted:	false
SSDEEP:	3072:4sSkET6pEXb3loojg1Q2sorWvZXF2sorrLA7cG27Qhvvc:4sSd6pwzloDbsnX0sCrc7ct7QVc
MD5:	A016545F963548E0F37885E07EF945C7
SHA1:	CBE499E53AB0BD2DA21018F4E2092E33560C846F
SHA-256:	6B56F77DA6F17880A42D2F9D2EC8B426248F7AB2196A0F55D37ADE39E3878BC6
SHA-512:	47A3C965593B97392F8995C7B80394E5368D735D4C77F610AFD61367FFE7658A0E83A0DBD19962C4FA864D94F245A9185A915010AFA23467F999C833982654C2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'`.CF.KCF.KCF.KJ>.KGF.K.).JAF.KW-.JAF.K.).JVF.K.).JKF.K.).J@F.K.6.JFF.KCF.K.G.K.6.JPF.K.6.JBF.K.6.KBF.KCF.KBF.K.6.JBF.KRichCF.K........................PE..d......_.........." .....$..........t(.......................................p.......5....`............................................."..l........P.......0.......,.......`..L...hw..T....................x..(....w..0............@...............................text....".......$.................. ..`.rdata..z....@.......(..............@..@.data...x...........................@....pdata.......0......................@..@.rsrc........P......."..............@..@.reloc..L....`.......(..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Widgets.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5498352
Entropy (8bit):	6.619117060971844
Encrypted:	false
SSDEEP:	49152:KO+LIFYAPZtMym9RRQ7/KKIXSewIa/2Xqq1sfeOoKGOh6EwNmiHYYwBrK8KMlH0p:IGoKZdRqJD10rK8KMlH0gi5GX0oKZ
MD5:	4CD1F8FDCD617932DB131C3688845EA8
SHA1:	B090ED884B07D2D98747141AEFD25590B8B254F9
SHA-256:	3788C669D4B645E5A576DE9FC77FCA776BF516D43C89143DC2CA28291BA14358
SHA-512:	7D47D2661BF8FAC937F0D168036652B7CFE0D749B571D9773A5446C512C58EE6BB081FEC817181A90F4543EBC2367C7F8881FF7F80908AA48A7F6BB261F1D199
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x..................I.......I.......I.......I...........................................9.................................Rich............PE..d....._.........." ......3..P .......3.......................................T......MT...`.........................................0.D.P^....L.h....pS......0P..8....S.......S.d.....?.T...................`.?.(...0.?.0.............3.._...........................text.....3.......3................. ..`.rdata..8.....3.......3.............@..@.data.........O......dO.............@....pdata...8...0P..:....O.............@..@.rsrc........pS......4S.............@..@.reloc..d.....S......:S.............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	101872
Entropy (8bit):	6.5661918084228725
Encrypted:	false
SSDEEP:	1536:RCKWZGuEK0mOLSTxoPl9GIcuZrxi4hXX9oix8H+NCIecbGShwZul:RFWY1WxgGStJ8H2CIecbG36
MD5:	971DBBE854FC6AB78C095607DFAD7B5C
SHA1:	1731FB947CD85F9017A95FDA1DC5E3B0F6B42CA2
SHA-256:	5E197A086B6A7711BAA09AFE4EA7C68F0E777B2FF33F1DF25A21F375B7D9693A
SHA-512:	B966AAB9C0D9459FADA3E5E96998292D6874A7078924EA2C171F0A1A50B0784C24CC408D00852BEC48D6A01E67E41D017684631176D3E90151EC692161F1814D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w.............t:..............................................................Rich....................PE..d.....t^.........." .........^.......................................................e....`A.........................................0..4....9.......p.......P.......L...A..............8........................... ...0............................................text...2........................... ..`.rdata...?.......@..................@..@.data...0....@.......4..............@....pdata.......P.......8..............@..@_RDATA.......`.......D..............@..@.rsrc........p.......F..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44528
Entropy (8bit):	6.627837381503075
Encrypted:	false
SSDEEP:	384:Aim/NRETi8kykt25HwviU5fJUiP2551xWmbTqOA7SXf+Ny85xM8ATJWr3KWoC8cS:0Ie8kySL2iPQxdvjAevcMESW5lxJG
MD5:	6BC084255A5E9EB8DF2BCD75B4CD0777
SHA1:	CF071AD4E512CD934028F005CABE06384A3954B6
SHA-256:	1F0F5F2CE671E0F68CF96176721DF0E5E6F527C8CA9CFA98AA875B5A3816D460
SHA-512:	B822538494D13BDA947655AF791FED4DAA811F20C4B63A45246C8F3BEFA3EC37FF1AA79246C89174FE35D76FFB636FA228AFA4BDA0BD6D2C41D01228B151FD89
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ .S.A...A...A..0.m..A..O....A...9...A...A...A..O....A..O....A..O....A..O....A..O.}..A..O....A..Rich.A..................PE..d.....t^.........." .....:...4......pA...............................................Z....`A.........................................j......\|k..x....................l...A......8....b..8...........................@b..0............P..X............................text....9.......:.................. ..`.rdata... ...P..."...>..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..8............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\d3dcompiler_47.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4173928
Entropy (8bit):	6.329102290474506
Encrypted:	false
SSDEEP:	49152:8BfmqCtLI4erBYysLjG/A8McPyCD6hw16JVTW7B3EgvVlQ3LAYmyNOvGJse+aWyb:8eZevVKACOvWYQF
MD5:	B0AE3AA9DD1EBD60BDF51CB94834CD04
SHA1:	EE2F5726AC140FB42D17ABA033D678AFAF8C39C1
SHA-256:	E994847E01A6F1E4CBDC5A864616AC262F67EE4F14DB194984661A8D927AB7F4
SHA-512:	756EBF4FA49029D4343D1BDB86EA71B2D49E20ADA6370FD7582515455635C73D37AD0DBDEEF456A10AB353A12412BA827CA4D70080743C86C3B42FA0A3152AA3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G..(.a.{.a.{.a.{..m{5a.{..l{.a.{.m{.a.{.o{.a.{.a.{.a.{.i{.a.{.l{.a.{.h{.a.{.q{.a.{.k{.a.{.n{.a.{Rich.a.{........................PE..d......R.........." ......;.........`.8......................................@@......a@...`...........................................;.u...P.>.d.....?.@.....=......t?.h<... ?..{..................................@a................>.P............................text.....;.......;................. ..`.data...h.....;.......;.............@....pdata........=......n<.............@..@.idata..@.....>......B>.............@..@.rsrc...@.....?......\>.............@..@.reloc....... ?......b>.............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\libEGL.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25072
Entropy (8bit):	5.961464514165753
Encrypted:	false
SSDEEP:	384:KEyYvsyDQrjwgut4Maw+XZndDGg7Dgf2hU:RvszjwgocwOhdDGEUf2hU
MD5:	BB00EF1DD81296AF10FDFA673B4D1397
SHA1:	773FFCF4A231B963BAAC36CBEF68079C09B62837
SHA-256:	32092DE077FD57B6EF355705EC46C6D21F6D72FBE3D3A5DD628F2A29185A96FA
SHA-512:	C87C0868C04852B63A7399AFE4E568CD9A65B7B7D5FD63030ABEA649AAC5E9F2293AB5BE2B2CE56A57F2B4B1992AE730150A293ADA53637FC5CD7BE0A727CBD4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...Xv@.Xv@.Xv@. .@.Xv@.7wA.Xv@.3wA.Xv@.7sA.Xv@.7rA.Xv@.7uA.Xv@W(wA.Xv@.Xw@.Xv@W(sA.Xv@W(vA.Xv@W(.@.Xv@.X.@.Xv@W(tA.Xv@Rich.Xv@........PE..d...#._.........." .........0......................................................Z.....`.........................................`9.......B..d.......H....p.......F.......... ....3..T............................4..0............0...............................text............................... ..`.rdata..r#...0...$..................@..@.data........`.......:..............@....pdata.......p.......<..............@..@.rsrc...H............>..............@..@.reloc.. ............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\libGLESv2.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3385328
Entropy (8bit):	6.382356347494905
Encrypted:	false
SSDEEP:	49152:sU0O89Onk/cNTgO/WSLqfTPnK+9eaOiY95ZEQryD1pPG3L:MaHUKt3L
MD5:	2247EE4356666335DF7D72129AF8D600
SHA1:	F0131C1A67FC17C0E8DCC4A4CA38C9F1780E7182
SHA-256:	50FAD5605B3D57627848B3B84A744DFB6A045609B8236B04124F2234676758D8
SHA-512:	67F2A7BF169C7B9A516689CF1B16446CA50E57F099B9B742CCB1ABB2DCDE8867F8F6305AD8842CD96194687FC314715AE04C1942B0E0A4F51B592B028C5B16D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............t..t..t....t.A.p..t.A.w..t.A.q..t.A.u..t.u..t..u..t...q..t...t..t......t.....t...v..t.Rich..t.........PE..d....._.........." ......&.........L.&.......................................3.......3...`..........................................0..]....0.......3.P.....1.L.....3.......3..;...},.T...................P.,.(... ~,.0.............'..............................text...o.&.......&................. ..`.rdata........'.......&.............@..@.data.........1.......0.............@....pdata..L.....1.......1.............@..@.rsrc...P.....3......J3.............@..@.reloc...;....3..<...P3.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\opengl32sw.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20923392
Entropy (8bit):	6.255903817217008
Encrypted:	false
SSDEEP:	393216:LIckHor5uLnn83wAP5hxOZEa7/LzRuDFqILn5LgcKyZyQXt+8M:yEZbv
MD5:	7DBC97BFEE0C7AC89DA8D0C770C977B6
SHA1:	A064C8D8967AAA4ADA29BD9FEFBE40405360412C
SHA-256:	963641A718F9CAE2705D5299EAE9B7444E84E72AB3BEF96A691510DD05FA1DA4
SHA-512:	286997501E1F5CE236C041DCB1A225B4E01C0F7C523C18E9835507A15C0AC53C4D50F74F94822125A7851FE2CB2FB72F84311A2259A5A50DCE6F56BA05D1D7E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.@..............'.......'.......'..[...........\|.-.....\|.+....\|..<....'......../.....q.*.....q.+....q.&.^...q.......q.,.....Rich............PE..d....._W.........." .....(....b.....\|&....................................... E...........`.........................................0.1.t.....1...............9.`n............C..k.. . .T..................... .(..... ..............@...............................text...T&.......(.................. ..`.rdata..XvO..@...xO..,..............@..@.data....;....1.......1.............@....pdata..`n....9..p...D3.............@..@.gfids.......pC.......=.............@..@.tls..........C.......=.............@..._RDATA........C.......=.............@..@.reloc...k....C..l....=.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68080
Entropy (8bit):	6.207162014262433
Encrypted:	false
SSDEEP:	1536:mQ4IT53ign4CbtlO705xWL3frA5rlhgQJ7tapgUff:mLIT53Hbtk70OLs3hg0Cz
MD5:	750A31DE7840B5EED8BA14C1BD84D348
SHA1:	D345D13B0C303B7094D1C438E49F0046791DE7F6
SHA-256:	A9BFFB0F3CD69CD775C328C916E46440FE80D99119FAEBC350C7EC51E3E57C41
SHA-512:	5C0A68ED27A9F1BBFF104942152E475C94BB64B03CE252EAAC1A6770E24DC4156CE4ADE99EBCD92662801262DED892C33F84C605AD84472B45A83C4883D5E767
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............h..h..h...s.h..]...h.....h..]...h..]...h..]...h......h..h..&h......h......h......h......h..Rich.h..................PE..d...X._.........." .........b......$........................................@......{v....`......................................... ................ ..X....................0......H...T......................(.......0............................................text............................... ..`.rdata...E.......F..................@..@.data...............................@....pdata..............................@..@.qtmetadi...........................@..P.rsrc...X.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	41968
Entropy (8bit):	6.0993566622860635
Encrypted:	false
SSDEEP:	768:VPs5g31JfDgej5JZmA0ZsEEC6lmn+4FdDGimUf2hr:VkC31ee7ZmA+sEEC6lmn+4FOUfc
MD5:	313F89994F3FEA8F67A48EE13359F4BA
SHA1:	8C7D4509A0CAA1164CC9415F44735B885A2F3270
SHA-256:	42DDE60BEFCF1D9F96B8366A9988626B97D7D0D829EBEA32F756D6ECD9EA99A8
SHA-512:	06E5026F5DB929F242104A503F0D501A9C1DC92973DD0E91D2DAF5B277D190082DE8D37ACE7EDF643C70AA98BB3D670DEFE04CE89B483DA4F34E629F8ED5FECF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n.:..i..i..i#.Ei...i...h(..i>..h(..i...h8..i...h-..i...h(..i...h-..i..i...i...h(..i...h+..i..)i+..i...h+..iRich*..i........................PE..d......_.........." .....@...F.......F..............................................C.....`..........................................g..x...hh..........H...........................xX..T....................Z..(....X..0............P...............................text....>.......@.................. ..`.rdata...3...P...4...D..............@..@.data................x..............@....pdata...............z..............@..@.qtmetadj...........................@..P.rsrc...H...........................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qgif.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39408
Entropy (8bit):	6.0316011626259405
Encrypted:	false
SSDEEP:	768:ygk2hM0GskFtvPCjEIxh8eDzFyPddeeGvnhotdDGPUf2he:yN2a05kfPOEMaeDzFkddeFnhotOUfh
MD5:	52FD90E34FE8DED8E197B532BD622EF7
SHA1:	834E280E00BAE48A9E509A7DC909BEA3169BDCE2
SHA-256:	36174DD4C5F37C5F065C7A26E0AC65C4C3A41FDC0416882AF856A23A5D03BB9D
SHA-512:	EF3FB3770808B3690C11A18316B0C1C56C80198C1B1910E8AA198DF8281BA4E13DC9A6179BB93A379AD849304F6BB934F23E6BBD3D258B274CC31856DE0FC12B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3..3..3..KA.3..o\..3..X..3..o\..3..o\..3..o\..3.."C..3..3...3.."C..3.."C..3.."C-.3.."C..3..Rich.3..........PE..d...H._.........." .....@...B.......E...............................................^....`..........................................f..t....f..........@............~..............HW..T....................X..(....W..0............P...............................text...k?.......@.................. ..`.rdata..&)...P...*...D..............@..@.data...(............n..............@....pdata...............p..............@..@.qtmetads............v..............@..P.rsrc...@............x..............@..@.reloc...............\|..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qicns.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45040
Entropy (8bit):	6.016125225197622
Encrypted:	false
SSDEEP:	768:vEip0IlhxTDxut3dnm8IyAmQQ3ydJouEAkNypTAO0tfC3apmsdDG9Uf2hU:vxvXxgVIyA23ydJlEATpTAO0tfCKpms/
MD5:	AD84AF4D585643FF94BFA6DE672B3284
SHA1:	5D2DF51028FBEB7F6B52C02ADD702BC3FA781E08
SHA-256:	F4A229A082D16F80016F366156A2B951550F1E9DF6D4177323BBEDD92A429909
SHA-512:	B68D83A4A1928EB3390DEB9340CB27B8A3EB221C2E0BE86211EF318B4DD34B37531CA347C73CCE79A640C5B06FBD325E10F8C37E0CEE2581F22ABFBFF5CC0D55
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................a....Q........Q......Q......Q......................................Rich...........PE..d......_.........." .....B...N.......G...............................................&....`.............................................t...$...........@...........................xp..T....................r..(....p..0............`...............................text....@.......B.................. ..`.rdata...9...`...:...F..............@..@.data...............................@....pdata..............................@..@.qtmetadx...........................@..P.rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qico.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38384
Entropy (8bit):	5.957072398645384
Encrypted:	false
SSDEEP:	768:zBXBEfQiAzC9Oh5AS7a3Z5OGrTDeV9mp7nnsWdDGgYUf2hi/:8JAzuOhy3zOGrTDeV9mp7nnsWjYUfz
MD5:	A9ABD4329CA364D4F430EDDCB471BE59
SHA1:	C00A629419509929507A05AEBB706562C837E337
SHA-256:	1982A635DB9652304131C9C6FF9A693E70241600D2EF22B354962AA37997DE0B
SHA-512:	004EA8AE07C1A18B0B461A069409E4061D90401C8555DD23DBF164A08E96732F7126305134BFAF8B65B0406315F218E05B5F0F00BEDB840FB993D648CE996756
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.G...G...G...N...C......E...S...E......R......O......D.......B...G...........D.......F.......F.......F...RichG...................PE..d...H._.........." .....4...H.......9....................................................`..........................................h..t...th..........@............z..............(X..T....................Y..(....X..0............P..8............................text....2.......4.................. ..`.rdata..B/...P...0...8..............@..@.data...h............h..............@....pdata...............l..............@..@.qtmetad.............r..............@..P.rsrc...@............t..............@..@.reloc...............x..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qjpeg.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	421360
Entropy (8bit):	5.7491063936821405
Encrypted:	false
SSDEEP:	6144:USgOWz1eW38u9tyh6fpGUasBKTrsXWwMmH1l3JM5hn0uEfB4:USPQTnastBRB4
MD5:	16ABCCEB70BA20E73858E8F1912C05CD
SHA1:	4B3A32B166AB5BBBEE229790FDAE9CBC84F936BA
SHA-256:	FB4E980CB5FAFA8A4CD4239329AED93F7C32ED939C94B61FB2DF657F3C6AD158
SHA-512:	3E5C83967BF31C9B7F1720059DD51AA4338E518B076B0461541C781B076135E9CB9CBCEB13A8EC9217104517FBCC356BDD3FFACA7956D1C939E43988151F6273
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Iv"...L...L...L..o....L..xM...L..\|M...L.......L..xI...L..xH...L..xO...L..gM...L...M...L..gH.?.L..gI...L..gL...L..g....L..gN...L.Rich..L.........PE..d...o._.........." .....b...........i...............................................g....`.............................................t...............@....`.......R..............h...T.......................(.......0...............@............................text....`.......b.................. ..`.rdata..J............f..............@..@.data...8....P.......(..............@....pdata.......`... ...*..............@..@.qtmetad.............J..............@..P.rsrc...@............L..............@..@.reloc...............P..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qsvg.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32240
Entropy (8bit):	5.978149408776758
Encrypted:	false
SSDEEP:	768:uOVKDlJJVlTuLiMtsKVG7TSdDG9Uf2h4e:hVgJVlTuL/tsKVG7TSQUfre
MD5:	C0DE135782FA0235A0EA8E97898EAF2A
SHA1:	FCF5FD99239BF4E0B17B128B0EBEC144C7A17DE2
SHA-256:	B3498F0A10AC4CB42CF7213DB4944A34594FF36C78C50A0F249C9085D1B1FF39
SHA-512:	7BD5F90CCAB3CF50C55EAF14F7EF21E05D3C893FA7AC9846C6CA98D6E6D177263AC5EB8A85A34501BCFCA0DA7F0B6C39769726F4090FCA2231EE64869B81CF0B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x>...P...P...P..a...P.&vQ...P..rQ...P.&vU...P.&vT...P.&vS...P.kiQ...P...Q.n.P.kiU...P.kiP...P.ki....P.kiR...P.Rich..P.........PE..d......_.........." .....$...B......D)....................................................`.........................................PU..t....U..........@............b...............G..T....................I..(...PH..0............@..(............................text....".......$.................. ..`.rdata...+...@...,...(..............@..@.data...8....p.......T..............@....pdata...............V..............@..@.qtmetad.............Z..............@..P.rsrc...@............\..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qtga.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31728
Entropy (8bit):	5.865766652452823
Encrypted:	false
SSDEEP:	768:1lGALluUEAQATWQ79Z2Y8Ar+dDG2vUf2hF:TZl/EH8WQ794Y8Ar+hvUfm
MD5:	A913276FA25D2E6FD999940454C23093
SHA1:	785B7BC7110218EC0E659C0E5ACE9520AA451615
SHA-256:	5B641DEC81AEC1CF7AC0CCE9FC067BB642FBD32DA138A36E3BDAC3BB5B36C37A
SHA-512:	CEBE48E6E6C5CDF8FC339560751813B8DE11D2471A3DAB7D648DF5B313D85735889D4E704E8EEC0AD1084AB43BE0EBDFBACD038AEAC46D7A951EFB3A7CE838EB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F ._'N._'N._'N.V_.Y'N..HO.]'N.KLO.]'N..HK.M'N..HJ.W'N..HM.\'N..WO.Z'N._'O.4'N..WK.\'N..WN.^'N..W..^'N..WL.^'N.Rich_'N.........................PE..d......_.........." ....."...@.......'..............................................7.....`..........................................W..t...dX..........@.......`....`..............(I..T....................J..(....I..0............@..h............................text...[!.......".................. ..`.rdata...)...@...*...&..............@..@.data........p.......P..............@....pdata..`............T..............@..@.qtmetadu............X..............@..P.rsrc...@............Z..............@..@.reloc...............^..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qtiff.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	390128
Entropy (8bit):	5.724665470266677
Encrypted:	false
SSDEEP:	6144:V0jqHiFBaRe0GPAKwP15e7xrEEEEEEN024Rx/3tkYiHUASQbs/l7OanYoOgyV:0qqwP15bx/q7/yyV
MD5:	9C0ACF12D3D25384868DCD81C787F382
SHA1:	C6E877ABA3FB3D2F21D86BE300E753E23BB0B74E
SHA-256:	825174429CED6B3DAB18115DBC6C9DA07BF5248C86EC1BD5C0DCAECA93B4C22D
SHA-512:	45594FA3C5D7C4F26325927BB8D51B0B88E162E3F5E7B7F39A5D72437606383E9FDC8F83A77F814E45AFF254914514AE52C1D840A6C7B98767F362ED3F4FC5BD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................E....q............q......q......q......<.............<......<......<......<.)....<......Rich....................PE..d......_.........." .....(..........D-.......................................0............`.............................................t...4...........@........%........... ..(....d..T................... f..(....d..0............@..0............................text....&.......(.................. ..`.rdata...v...@...x...,..............@..@.data...(...........................@....pdata...%.......&..................@..@.qtmetad............................@..P.rsrc...@...........................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qwbmp.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30192
Entropy (8bit):	5.938644231596902
Encrypted:	false
SSDEEP:	768:EfEM3S46JE2X/xBZ76pC5J6GdDGZUf2h4:63S3JE2PHZ76pC5J6GEUfn
MD5:	68919381E3C64E956D05863339F5C68C
SHA1:	CE0A2AD1F1A46B61CB298CEC5AA0B25FF2C12992
SHA-256:	0F05969FB926A62A338782B32446EA3E28E4BFBFFC0DBD25ED303FAB3404ABAC
SHA-512:	6222A3818157F6BCD793291A6C0380EF8C6B93ECEA2E0C9A767D9D9163461B541AFAF8C6B21C5A020F01C95C6EE9B2B74B358BA18DA120F520E87E24B20836AA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<.I.<.I.<.I.D%I.<.I.S.H.<.I.W.H.<.I.S.H.<.I.S.H.<.I.S.H.<.IYL.H.<.I.<.I.<.IYL.H.<.IYL.H.<.IYLII.<.IYL.H.<.IRich.<.I........PE..d......_.........." ..... ...8.......'....................................................`......................................... D..t....D..........@....p..T....Z...............6..T...................p8..(...@7..0............0..p............................text............ .................. ..`.rdata..d&...0...(...$..............@..@.data........`.......L..............@....pdata..T....p.......N..............@..@.qtmetad~............R..............@..P.rsrc...@............T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qwebp.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	510448
Entropy (8bit):	6.605517748735854
Encrypted:	false
SSDEEP:	12288:bPTjgdqdsvh+LrLrLrL5/y4DVHAsqx3hXS+oPZQqRaYG:jT5sMLrLrLrL5q4dAsaOFo
MD5:	308E4565C3C5646F9ABD77885B07358E
SHA1:	71CB8047A9EF0CDB3EE27428726CACD063BB95B7
SHA-256:	6E37ACD0D357871F92B7FDE7206C904C734CAA02F94544DF646957DF8C4987AF
SHA-512:	FFAEECFAE097D5E9D1186522BD8D29C95CE48B87583624EB6D0D52BD19E36DB2860A557E19F0A05847458605A9A540C2A9899D53D36A6B7FD5BF0AD86AF88124
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................a....s........s......s......s....>.........>......>.....>....>......>....Rich...................PE..d......_.........." .....B..........tH.......................................0......`q....`..........................................W..t....W..........@.......0H........... ......h...T.......................(.......0............`...............................text...[@.......B.................. ..`.rdata..J....`.......F..............@..@.data....'...........X..............@....pdata..0H.......J...\..............@..@.qtmetadv...........................@..P.rsrc...@...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qminimal.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	844784
Entropy (8bit):	6.625808732261156
Encrypted:	false
SSDEEP:	12288:y6MhioHKQ1ra8HT+bkMY8zKI4kwU7dFOTTYfEWmTxbwTlWc:BMhioHKQp+bkjAjwGdFSZtbwBd
MD5:	2F6D88F8EC3047DEAF174002228219AB
SHA1:	EB7242BB0FE74EA78A17D39C76310A7CDD1603A8
SHA-256:	05D1E7364DD2A672DF3CA44DD6FD85BED3D3DC239DCFE29BFB464F10B4DAA628
SHA-512:	0A895BA11C81AF14B5BD1A04A450D6DCCA531063307C9EF076E9C47BD15F4438837C5D425CAEE2150F3259691F971D6EE61154748D06D29E4E77DA3110053B54
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#\..B2..B2..B2..:...B2..-3..B2.F....B2..-7..B2..-6..B2..-1..B2..)6..B2.^23..B2..)3..B2..B3.@2.^26..B2.^27..B2.^22..B2.^2...B2.^20..B2.Rich.B2.........PE..d...N._.........." ......................................................... ............`......................................... ...x.......@.......H....`..H.......................T.......................(.......0...............(............................text...;........................... ..`.rdata...C.......D..................@..@.data...H....@......."..............@....pdata..H....`.......0..............@..@.qtmetad............................@..P.rsrc...H...........................@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qoffscreen.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	754672
Entropy (8bit):	6.6323155845799695
Encrypted:	false
SSDEEP:	12288:/HpBmyVIRZ3Tck83vEgex5aebusGMIlhLfEWmpCJkl:/HpB63TckUcLaHMITAZmW
MD5:	6407499918557594916C6AB1FFEF1E99
SHA1:	5A57C6B3FFD51FC5688D5A28436AD2C2E70D3976
SHA-256:	54097626FAAE718A4BC8E436C85B4DED8F8FB7051B2B9563A29AEE4ED5C32B7B
SHA-512:	8E8ABB563A508E7E75241B9720A0E7AE9C1A59DD23788C74E4ED32A028721F56546792D6CCA326F3D6AA0A62FDEDC63BF41B8B74187215CD3B26439F40233F4D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m..T..KT..KT..K]t7K@..K.c.JV..K@g.JV..K.cKU..K.c.JA..K.c.J\..K.c.JP..K.\|.JQ..KT..K...K.\|.Js..K.\|.JS..K.\|.JU..K.\|[KU..K.\|.JU..KRichT..K........PE..d...R._.........." ................L.....................................................`.............................................x...8...........H....... s...h..........p.......T................... ...(.......0...............@............................text............................... ..`.rdata..............................@..@.data...............................@....pdata.. s.......t..................@..@.qtmetad.............T..............@..P.rsrc...H............V..............@..@.reloc..p............Z..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qwebgl.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	482288
Entropy (8bit):	6.152380961313931
Encrypted:	false
SSDEEP:	6144:WO/vyK+DtyaHlIMDhg5WEOvAwKB2VaaHeqRw/yVfYu4UnCA6DEjeYchcD+1Zy2:bKtHOWg5OvAwK0NYu4AShcD+1U2
MD5:	1EDCB08C16D30516483A4CBB7D81E062
SHA1:	4760915F1B90194760100304B8469A3B2E97E2BC
SHA-256:	9C3B2FA2383EEED92BB5810BDCF893AE30FA654A30B453AB2E49A95E1CCF1631
SHA-512:	0A923495210B2DC6EB1ACEDAF76D57B07D72D56108FD718BD0368D2C2E78AE7AC848B90D90C8393320A3D800A38E87796965AFD84DA8C1DF6C6B244D533F0F39
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gM..#...#...#..~....#.ei&...#.ei'...#.ei ...#..m'...#.ei"...#.(v"...#..m"...#..."...#.(v&...#.(v#...#.(v...#.(v!...#.Rich..#.................PE..d......_.........." .....R...........;....................................................`..........................................m..t...Dn..T.......@....@...=...@..............0...T.......................(.......0............p..(............................text...{Q.......R.................. ..`.rdata..:....p.......V..............@..@.data...H....0......................@....pdata...=...@...>..................@..@.qtmetadz............2..............@..P.rsrc...@............4..............@..@.reloc...............8..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qwindows.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1477104
Entropy (8bit):	6.575113537540671
Encrypted:	false
SSDEEP:	24576:4mCSPJrAbXEEuV9Hw2SoYFo3HdxjEgqJkLdLu5qpmZuhg/A2b:nPlIEEuV9Hw2SFFWHdWZsdmqja/A2b
MD5:	4931FCD0E86C4D4F83128DC74E01EAAD
SHA1:	AC1D0242D36896D4DDA53B95812F11692E87D8DF
SHA-256:	3333BA244C97264E3BD19DB5953EFA80A6E47AACED9D337AC3287EC718162B85
SHA-512:	0396BCCDA43856950AFE4E7B16E0F95D4D48B87473DC90CF029E6DDFD0777E1192C307CFE424EAE6FB61C1B479F0BA1EF1E4269A69C843311A37252CF817D84D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......i...-...-...-...$.%.9.....q.,......8......%......)......+...9......9..,......)..........9..8...-..........d......,.....I.,......,...Rich-...........PE..d....._.........." .....,...h......4+..............................................n.....`.............................................x...(...........H............n..........X....r..T...................Pt..(... s..0............@...5...........................text..._+.......,.................. ..`.rdata.......@.......0..............@..@.data....m...@...D...(..............@....pdata...............l..............@..@.qtmetad.............J..............@..P.rsrc...H............L..............@..@.reloc..X............P..............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68592
Entropy (8bit):	6.125954940500008
Encrypted:	false
SSDEEP:	1536:Nt4B1RLj3S6TtH2sweUH+Hz6/4+D6VFsfvUfO:AB1RHFdoeUs6/4O6VFSZ
MD5:	F66F6E9EDA956F72E3BB113407035E61
SHA1:	97328524DA8E82F5F92878F1C0421B38ECEC1E6C
SHA-256:	E23FBC1BEC6CEEDFA9FD305606A460D9CAC5D43A66D19C0DE36E27632FDDD952
SHA-512:	7FF76E83C8D82016AB6BD349F10405F30DEEBE97E8347C6762EB71A40009F9A2978A0D8D0C054CF7A3D2D377563F6A21B97DDEFD50A9AC932D43CC124D7C4918
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o...o...o...f...k......m...{..m......~......h......m......h...o..........k......n.....~.n......n...Richo...........................PE..d...V._.........." .....z...t......T........................................@.......b....`......................................... ................ ..X....................0..4.......T.......................(...p...0...............x............................text....y.......z.................. ..`.rdata...Z.......\...~..............@..@.data...............................@....pdata..............................@..@.qtmetad............................@..P.rsrc...X.... ......................@..@.reloc..4....0......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	144368
Entropy (8bit):	6.294675868932723
Encrypted:	false
SSDEEP:	3072:rrjwZ43rCOtrBk7wcR0l7wBlaL6BtIEt51T0Nhkqg8FoQY:7hZu9R0l7wFBtIEt51T0Nuqg8JY
MD5:	53A85F51054B7D58D8AD7C36975ACB96
SHA1:	893A757CA01472A96FB913D436AA9F8CFB2A297F
SHA-256:	D9B21182952682FE7BA63AF1DF24E23ACE592C35B3F31ECEEF9F0EABEB5881B9
SHA-512:	35957964213B41F1F21B860B03458404FBF11DAF03D102FBEA8C2B2F249050CEFBB348EDC3F22D8ECC3CB8ABFDC44215C2DC9DA029B4F93A7F40197BD0C16960
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R._...1]..1]..1]..]..1]..0\..1]..5\..1]..2\..1]..4\..1]..0\..1]..0\..1]..0]..1]..4\..1]..1\..1]...]..1]..3\..1]Rich..1]........................PE..d...`._.........." .....\...........`.......................................`......wJ....`................................................. ........@..X.... ...............P.........T...................`...(...0...0............p...............................text....Z.......\.................. ..`.rdata......p.......`..............@..@.data...............................@....pdata....... ......................@..@.qtmetadm....0......................@..P.rsrc...X....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_ar.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	130
Entropy (8bit):	4.024232093209084
Encrypted:	false
SSDEEP:	3:j2wZC4C/2/vlAlHekW3/S1MUe3/CLlI+rwtbWlMrNtYs8ar/u:Cwm+/PtUePCRIRt6Ygs8y/u
MD5:	8FF05B56C0995F90A80B7064AA6E915C
SHA1:	D5AEB09AE557CEEFB758972EC4AC624CDDC9E6A7
SHA-256:	A8A1B0D6F958E7366D1C856BE61000106D3E7FC993FB931675369892B9002D0B
SHA-512:	5374E0F1D3F5A6A456B00732DE8005787B17ECEF9C8A2B2C1228966A6A8DE211700334D8FD789DAD269F52D0AEED3F5160010CA60909861E270C253B3EA881A4
Malicious:	false
Preview:	<.d....!..`.......ar....R.....q.t.b.a.s.e._.a.r.....q.t.s.c.r.i.p.t._.a.r.....q.t.m.u.l.t.i.m.e.d.i.a._.a.r..............$...*.

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_bg.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6813848812976975
Encrypted:	false
SSDEEP:	3:j2wZC4C/6lLlAlHekVYtzlY1MUdI7lULlI+rwtbWlMoIFl8IPldkO4t/z:CwDC+7tJjUWhURIRt68f8oiP1z
MD5:	466EED6C184D2055488D4C5EA9AE5F20
SHA1:	8599AB9B731BFC84F6EEC7A0129F396FB8FEC4EA
SHA-256:	9E1CE4D91852352043D9191F1A992838F919CBA7E2F2D9BB1161E494E8BF5F5E
SHA-512:	D2462951EC7DCE3D0851AE9C4ED644FFE0D2A5BDD15B4AE1A4295C187B4295BC854D6A5038DAC0564D165463419D615EB6CE7A9760CEFAD71AB673FB2109C349
Malicious:	false
Preview:	<.d....!..`.......bg....v.....q.t.b.a.s.e._.b.g.....q.t.s.c.r.i.p.t._.b.g.....q.t.m.u.l.t.i.m.e.d.i.a._.b.g... .q.t.x.m.l.p.a.t.t.e.r.n.s._.b.g.......

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_ca.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.631479835393124
Encrypted:	false
SSDEEP:	3:j2wZC4C/NVl/lAlHekUOplY1MUce/hlAlI+rwtbWlMpOflUlIPldkOHlz:CwO4+94jUcerAIRt6a6Uloi8
MD5:	6FBA66FE449866B478A2EBA66A724A02
SHA1:	EBEF6ED8460218CE8DF735659A8CBCD693600AC6
SHA-256:	171C7424B24D8502AB53CB3784FF34D8FCFAE26557CF8AF4DFDDEC6485ACC2FE
SHA-512:	2D2438738C6D10D8A53B46DE5A94BBF993818D080F344D9F1B94FC83D60335D9A5E8EFCC297D593FFF1D427972F9F9502FC31C332CAEA579FC7A88487390457E
Malicious:	false
Preview:	<.d....!..`.......ca....v.....q.t.b.a.s.e._.c.a.....q.t.s.c.r.i.p.t._.c.a.....q.t.m.u.l.t.i.m.e.d.i.a._.c.a... .q.t.x.m.l.p.a.t.t.e.r.n.s._.c.a.......

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_cs.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	157
Entropy (8bit):	3.7483537099309427
Encrypted:	false
SSDEEP:	3:j2wZC4C/fVFlAlHekUsplY1MUcM/hlULlI+rwtbWlMpsfl8IPldkO1lPchn:CwY4+9ujUcMrURIRt6aE8oinh
MD5:	D033053C03C3ECFA2AA926E0E674F67F
SHA1:	B4E95F8278121E2549F8BB6B5DAF1496F1738A7D
SHA-256:	3C0CBFD19490D67D1B3B9E944C3A4D9A9E7F87D7AE35E88D5D5A0077349B5B21
SHA-512:	2C7E9E9DBE0B25FBA94A52FE4BCCB1D9FED2A7BD2877DB91F82546C3BC8606280949594227BA0FC1C74C31010E1F573B3A82852BE746EAA4F397140485789136
Malicious:	false
Preview:	<.d....!..`.......cs....v.....q.t.b.a.s.e._.c.s.....q.t.s.c.r.i.p.t._.c.s.....q.t.m.u.l.t.i.m.e.d.i.a._.c.s... .q.t.x.m.l.p.a.t.t.e.r.n.s._.c.s...........

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_da.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6174817344122334
Encrypted:	false
SSDEEP:	3:j2wZC4C/4Jlr/lAlHekT6hY1MUb6JAlI+rwtbWlMuel3UlIPldkOQtt:Cw7rC+3jUkAIRt6EVUloi9
MD5:	E6A683F4A0883B5B0C7D30B847EF208C
SHA1:	FF2440DBBFE04AD86C6F285426AAFD49A895B128
SHA-256:	B5036161CE808C728E5FDA985F792DB565831FD01CF00B282547790C037353A2
SHA-512:	D73B794A71DFD3A3C06BF43ED109F635B4960F9A3904FB728873AB5251BDF6A791DDFDEBA884A2703A35461E18BA902804095AC4B92A2C9361526469B6D35FFA
Malicious:	false
Preview:	<.d....!..`.......da....v.....q.t.b.a.s.e._.d.a.....q.t.s.c.r.i.p.t._.d.a.....q.t.m.u.l.t.i.m.e.d.i.a._.d.a... .q.t.x.m.l.p.a.t.t.e.r.n.s._.d.a.......

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_de.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6174817344122334
Encrypted:	false
SSDEEP:	3:j2wZC4C/8rJFlAlHekTul01MUbul4LlI+rwtbWlMuallyIPldkOknt:Cw/rJ4+XU5RIRt6Aaoi7t
MD5:	06168E1261BF72F49F94927723B2E1EB
SHA1:	DEAF1B53C3FEE6CB28840418D0060AFA4D59D3FC
SHA-256:	5805B8FF3747849794E2D70661D737C69C15F1AE763C38E17084B1E5A81E9153
SHA-512:	AA3915C029C74DC270514C7F50E8BEC06C825F278E0DE0477AD8ED3187700BBD7711382A6E47C3AC76AC756CEFF9FA8CDD4E9B9DAC817475BC122F78B02C7D7D
Malicious:	false
Preview:	<.d....!..`.......de....v.....q.t.b.a.s.e._.d.e.....q.t.s.c.r.i.p.t._.d.e.....q.t.m.u.l.t.i.m.e.d.i.a._.d.e... .q.t.x.m.l.p.a.t.t.e.r.n.s._.d.e.......

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_en.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:j2wZC4n:CwZ
MD5:	BCEBCF42735C6849BDECBB77451021DD
SHA1:	4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
SHA-256:	9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
SHA-512:	F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
Malicious:	false
Preview:	<.d....!..`...

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_es.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6070658648473097
Encrypted:	false
SSDEEP:	3:j2wZC4C/7lJFlAlHekSMthULlI+rwtbWlMvEJY1MUaEf8IPldkOzvt:CwElJ4+7MrURIRt6cujUaE8oi0F
MD5:	EE47DFADBA4414FDC051C5CFBE71DDC1
SHA1:	DE650E96A9C130D35F8A498202773EF7FC875D27
SHA-256:	E25E43F046F61022FFE871A2F73C6A12EDFC5C3EFD958C0E019A721860A053B0
SHA-512:	8C1D8901D2F66CCBF947B831858E08B703517470B2B813B241E00162A275AC9103FF5B9251AD39BD53551E0A4FB45EE74187B218A1EF7C6CF6C5FA9F9219AE04
Malicious:	false
Preview:	<.d....!..`.......es....v.....q.t.b.a.s.e._.e.s.....q.t.m.u.l.t.i.m.e.d.i.a._.e.s.....q.t.s.c.r.i.p.t._.e.s... .q.t.x.m.l.p.a.t.t.e.r.n.s._.e.s.......

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_fa.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	293121
Entropy (8bit):	5.272179385890926
Encrypted:	false
SSDEEP:	3072:gEo2cQbzaVmvGQYkHkMRKkNeGr+0BhaRsLAChY21rpnLqL9ytnvC58gypn4l4qF:gEZbza0HjeGrxBhaCLFC
MD5:	F9C3624197ACB30A9E6CC799BB65BED6
SHA1:	D715EAE24387DE15588F68C92991A93FAFB5EEAB
SHA-256:	B292AFB0763B8C7C30A5AF7372BFC12D8A0D00BF3DD4A000715D9F576D9C1A39
SHA-512:	199C107AE7EAFCF2A5EEC149CAFEE7ED09B938E204B56AD3AAC9568D27166F61EC8E2225A11AF26F7E1F035FB5CAD98621A01E8A9942D18C273F43B90201162A
Malicious:	false
Preview:	<.d....!..`.......faB..I....*...u...+...............@.......A...J...B.......C...X...D.......E.......F...%...G.......H...0...I.......P...v...Q.......R.......S.......T..."...U.......V...h...W.......X...s...Y.......]..e....t...................-.......W.......\|.......i...;..Eu...;..Z....;...]...;..c....;.......;..0]...M..f....O.......O..2.......#....}..f=...m..fg.........(5......+;..1a..+;...V..+;...!..+O..17..+O...(..1.......E@......F....u..H4......HY...Y..H....S..I....5..I@.....IA......IC......J...1...J.......J.......J...\|...K...6...LD......L.......PS......R....Z..T.......Zr.. ...[`...O..[`......\...%@..\...2..._...&l.._...38..1........E..........2u..........1.......1...........@......4G...........................$...L...$..xY...[.......,...u...y...y...y..z.......F.......<.......g.......5W...........9...........f...E...U...E../....E..................0-...%..6....%.........................3......f..........5...?...0..EK...0......0..L ...0..c....0.......0...Z...5...........Y.. D

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_fi.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	117
Entropy (8bit):	3.739162292019161
Encrypted:	false
SSDEEP:	3:j2wZC4C/4HlAlHekRgOp1MUZWJKlI+rwtbWlMsIkk:Cwxe++IUocIRt6Qkk
MD5:	72882942B07B8AAC98034016E752B1A0
SHA1:	BF23B4C136B863B10E770019A2DF62FC988859DF
SHA-256:	048CA42DCE4FAF5FC21D843576E3C6FD963146ECC78554E7E5F34D07F64FB213
SHA-512:	403E7F4E9A0E44F2118804F0781A18EB1852797825498751E3AFA02D9558D90293ABDB570786CED80F7EFF800BEF6D9444A72E6A640D331DA46B2A0EA43C8E96
Malicious:	false
Preview:	<.d....!..`.......fi....R.....q.t.b.a.s.e._.f.i.....q.t.s.c.r.i.p.t._.f.i.....q.t.m.u.l.t.i.m.e.d.i.a._.f.i.......

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_fr.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.680458675741643
Encrypted:	false
SSDEEP:	3:j2wZC4C/FjlAlHekRL21MUZNJOLlI+rwtbWlMs9KIPldkORT:Cw3+SU0RIRt6koio
MD5:	3C45C665CFE036A7474CB4DCBB13CF40
SHA1:	62312DFF3C4CD38BAE8456C981601D0D89600F63
SHA-256:	8624033D849E670B12C9532337FCBF260F20848E044FEE7787CFE2AC92BE28DB
SHA-512:	21659AA452BC2493D915F0BE94F90CDD57759B1F1306AAA2836058D41E80DED24742EBD74E19420021514A6AB4150CA0B447574E96B9D3BF0BC5A8C78DAAF7AC
Malicious:	false
Preview:	<.d....!..`.......fr....v.....q.t.b.a.s.e._.f.r.....q.t.s.c.r.i.p.t._.f.r.....q.t.m.u.l.t.i.m.e.d.i.a._.f.r... .q.t.x.m.l.p.a.t.t.e.r.n.s._.f.r.......

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_gd.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.463523104731333
Encrypted:	false
SSDEEP:	3:j2wZC4C/EXlAlHekQrEuknbJB:CwjO+5JY
MD5:	A8D55457C0413893F746D40B637F9C93
SHA1:	25123615482947772176E055E4A74043B2FBCAA0
SHA-256:	49DF855A004A17950338AF3146466F6DF4D5852410BD0B58EA80E0D0203A9D24
SHA-512:	99718B948D94B292BDEDF6B247A5856BC7AC78408FCC41C980F264C2C8565125786F0289F5F993DCF11B8CDA3AFB2A1D8634B1D0BC9B34992F538F8E4086EC00
Malicious:	false
Preview:	<.d....!..`.......gd..........q.t.b.a.s.e._.g.d....................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_gl.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	323590
Entropy (8bit):	4.568068046062524
Encrypted:	false
SSDEEP:	3072:OYSG8zxWSDjq73Pf6FT1f4uh50QGrRfFD54YyUY0Ou4/tnra3Z0uYhB5YHfHRRn2:O39WSD3TMQGrxFD5EUVQ
MD5:	0661FFABFBC50187F3BA38876B721946
SHA1:	EB5E7205355CFC6BCB4DF27E224079842C97B296
SHA-256:	204A01AC7DEB6B5BAE193AFECBD1E50D18C73BF7D94BADEB2BBFDF6123C4ED93
SHA-512:	65AB66CC54D65E7678FA731A5C5F2CC9D6FC217B91AD47D538440811E09A23E49CD95CE62A79E3E8C275E250AC1A0B54BD289F6DD067573876DA7AFF54381D02
Malicious:	false
Preview:	<.d....!..`.......gl_ESB..I...........+..&............@.......A...z...B.......C...p...D.......E......F...!...G......H.......I......P...@...Q.......R......S...5...T......U...+...V.......W...a...X.......Y...N...]..o....t..,................F.......p..............4....;..LI...;..bD...;.......;.......;.......;..cJ...M..o1...O..G....O..e.......U....}..oY...m..o........D..(5...X..+;..6/..+;...~..+;......+O..6...+O...N..1......E@...?..F.......H4..'...HY......H...3`..I......I@......IA......IC..0...J...P...J...1...J...0...J.......K...:...LD..2...L...3...PS..:A..R... d..T.......Zr..Rd..[`......[`.....\...WK..\...RR.._...X..._...f...1........E...{......7M..........1.......1....q......O.......9......................)....$... ...$.......[..,=...,..-....y..0X...y...~......Mx......]0.......H......:A......0....9...............E...o...E..b....E.........1.......c....%..;....%...;......3.......^......S................5..4Z...0..L....0.......0..n....0.......0..7....0.......5..9D......!g.

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_he.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	83
Entropy (8bit):	3.880645689209568
Encrypted:	false
SSDEEP:	3:j2wZC4C/YJ/dQlHekfaB21MUXmlvt:CwT0+D/UUt
MD5:	DD5C2C6B148F2DB3E666B859776AE129
SHA1:	8368F32039CC0776A1B95C9DED5FE6C9EA0D93FD
SHA-256:	C113D14E218D5402B616DABEA27969C6F83852676468C5EF051DDDEFB3EE0235
SHA-512:	2EAE33C8707407E083F6B8B05EA2C5B987646DF1553888C16D6508C5A33B2F758DDED73323622CD50324C96F51D61B7CE822F393551A30B211ABD3CC1367249F
Malicious:	false
Preview:	<.d....!..`.......he....0.....q.t.b.a.s.e._.h.e.....q.t.s.c.r.i.p.t._.h.e.......

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_ar.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	8743
Entropy (8bit):	5.189558605179696
Encrypted:	false
SSDEEP:	192:YUM7gBwnG4Vxj4nyn9aAMOJckrL6esm/0sQ5HeK1nvEB:YBkKnZxkyn9aAMWPsm/0sQsGvEB
MD5:	CCD39A7C8139AD041E31B3E5D40968B4
SHA1:	5751BE96817BB6AE7C9DA9F1FBA7F42F31CFCC5D
SHA-256:	222088C9752D1CC3BAB985EF2DC77E5AE78578DCE18A61EC15B39F02E588163D
SHA-512:	9844C0EC65EE1C76DBA021EAC6D476A85E6C8F5BBAF4150C1EA80C0A95BEDE67B5E8F981360EF8599FCECDFCBCB83BC0B8AC44DDEFDCD85F914318030E346967
Malicious:	false
Preview:	<.d....!..`.......arB.....(.....d.0T.....5w......Uj....!.`.....M.a[............n..t..............39....&................B<s...V..M^...e......4.O5^...r..)^......o>...........?...t.....D ......k.N.....k.N...C...n...T...I...R..........2>.................\|..G.......w....T.......l..........,................^............$a......6.>...........x..K......W.b....._Xn......GN...m..~......!.....J.K.H.............pN.............P.~.....o.....W..(.......~......s.>......%c.....o.....R.z.q..........................n.h................e.....i..........:.J.1. .E.3.E.Q.I..........Untitled.....QHelp.....8..9.0.Q.1. .F.3... .E.D.A.Q. .'.D..Q.,.E.J.9.).:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler........9.0.Q.1. .%.F.4.'.!. .'.D./.Q.D.J.D.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....>..9.0.Q.1. .%.F.4.'.!. .,./.'.H.D. .A.J. .'.D.E.D.A.Q. .%.1........... Cannot create tables in file %1......QHelpCollectionHandler.....L..9.0.Q.1. .*.

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_bg.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10599
Entropy (8bit):	5.192287379770591
Encrypted:	false
SSDEEP:	192:jhYkcd7CYBdmfIOeX3byuJRoZXlBYnEpUYR+BJqO5X9pA2NNrxC0zwRK2nMY762A:a71DQIrLuVCnEtR+DquhN5xC0zwKPYHA
MD5:	5538049DA3A1D1D724AB6E11D2E2EDBE
SHA1:	7256BE390B88A053C0252488C443BE42F6F2D92A
SHA-256:	CBCDD1E0BBAE332D80DDB0A286056F17C824FA28D353D7FDF12FC97D9F6FE054
SHA-512:	DD98CAF3A016968EEDC9106C1839DDECC2D109E9E354708BD74B35E766C6A098C1680C0B867EAD9FCE2E2A6D683BE673B8E5DF1A1B2F1AAFDB31910FF833370F
Malicious:	false
Preview:	<.d....!..`.......bgB...(.(.......0T......5w... S.Uj......`.......a[....(..........t..............39..........&..........B<s...4..M^..........q...J..%..O5^...O..)^...I..o>...I...J..%.......#....t...A.8dz..$..D ....Z.k.N...<.k.N.......n.......I..............2>...p................G..."...w....................7..,................^............$a....<.6.>..........#...K...........$1.W.b....._Xn......GN...*..~....-..TH.."..!.....5.K.H..#R.........pN..."......&..P.~...@.o.....v..(.........."8..~......s.>.....o.... ..z.q..........................O.h....!t..........e....mi..'.....\|.(...@.8.G.8.=.0.B.0. .<.>.6.5. .4.0. .5.,. .G.5. .4.>.:.C.<.5.=.B.0.F.8.O.B.0. .2.A.5. .>.I.5. .A.5. .8.=.4.5.:.A.8.@.0...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.........0.1.5.;.5.6.:.0.:..........Note:.....QCLuceneResultWidget.....,. .5.7.C.;.B.0.B.8. .>.B. .B.J.@.A.5.=.5.B.>..........Search Results.....QCLuceneResultWidget....... .

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_ca.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7444
Entropy (8bit):	4.580794980254807
Encrypted:	false
SSDEEP:	192:G8oS34B7n303D37Bn3Jso37cfp3Mg3H373R58noct36R9RFu:GQU7ETrxZvqTXLSoct36Pzu
MD5:	66722ED97BCBFD3DAE3C8264413859AB
SHA1:	400A93B213FCF9BBC9785881EA82ADB9F444CD6C
SHA-256:	ECD4283A660F2CF72849B323810D7EADD063120B6F561E05AA1243A5B280946A
SHA-512:	B898BAC9652D7532384ED5CC53FA62DB55D516421D13F815A3E6D5E80AD4C69555F1A7E6C51F8B0A234614824EEE01D6731458F90D40A585990F84A58B9ABE44
Malicious:	false
Preview:	<.d....!..`.......caB............%.......0T......K:^.....Uj......`.....P..YJ...V.E.4...*...........>...7........B<s.....B\>...6........+.s.....zq.......9.......vR......@.......@.......:....;.8Z....!.g.N......F................t.....D ....z.k.N.......I......^......`#.......2.......G........N...7......N......{..................K...............GN......NO...5.........K.H...@.........pN......V............q..................>...N.........~.....5..%c...:.z.q....i...4....".A.f.e.g.e.i.x. .u.n. .f.i.l.t.r.e..........Add Filter.....FilterNameDialogClass.......N.o.m. .d.e.l. .f.i.l.t.r.e.:..........Filter Name:.....FilterNameDialogClass.......S.e.n.s.e. .t...t.o.l..........Untitled.....QHelp.....`.N.o. .s.'.h.a. .p.o.g.u.t. .c.o.p.i.a.r. .e.l. .f.i.t.x.e.r. .d.e. .c.o.l...l.e.c.c.i...:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....H.N.o. .s.'.h.a. .p.o.g.u.t. .c.r.e.a.r. .e.l. .d.i.r.e.c.t.o.r.i.:. .%.1..........Cannot create directory: %1.....QHelpCollect

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_cs.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	15297
Entropy (8bit):	4.708378368926237
Encrypted:	false
SSDEEP:	384:hmv1gdEYEiNrVhTBvAn1ca1f5lwHoJr0vwuxqsP/5jxA:o1gdEvgbloCof9ixqspW
MD5:	ED228F0F60AE9AEC28AB9171D5AE9590
SHA1:	7F061CF0C699D125A5531E3480C21964452F45EA
SHA-256:	4AC56FC63E400943BAB13F1D4C418502138908E1D488C24AEE6131D3D17552AA
SHA-512:	794CC671C08BFC50980820A6389B9D0D3514619AD0A8F18EFD5554CBBF2482192DF00B9D3B05FEE45F42276E63E2375FB28E193930D426245035B4B0E3E14ED8
Malicious:	false
Preview:	<.d....!..`.......cs_CZB...H.(.......(.......0T......0T......5w...0..Uj......`.......a[......a[....$.......p..........t.......t...........!..1"....T.39....T.39.......s...0......(......7/.................B<s...L..MQ......M^../q..........J..6@.0....B.O5Q..'..O5^..(A..)Q...X..)^......o>..........+....J..6.......4....t.....8dz..5..D ....R.D ......k.A.....k.A.....k.N.....k.N.......n.."....I..........................2...21......2>..........d.............T..G...4...w...!N......&O......&....!..".......#E..,...,.......)....Q..$/...^..$................$a......6.>.. t......5...K.......K....)......5E.W.b..-.._Xa..%a._Xn..%...GA......GN...?......,9..~.......TH..3..!......K.H..4h.........pA...J..pN..........7..P.~.. ..o.....0..(....*..(..........3V..~....T.s.1.....s.>..._.o....0..o....1p.z.q..........'9.....#........^.........h....2................Z..e... .i..8J......(.D.o.v.o.d.e.m. .p.r.o. .t.o. .b.y. .m.o.h.l.o. .b...t.,. .~.e. .d.o.k.u.m.e.n.t.a.c.e. .j.e. .s.t...l.e. .j.e.a.t...

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_da.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	4795
Entropy (8bit):	4.530246422531362
Encrypted:	false
SSDEEP:	96:X82wNlnKfN1LMFy7LsF3ZqBFZjWo0koBLqBXXjGL0qU7UqB7zoElmP5MUu4DZIHU:XM01f7eOnoB8X2s7Vfg5Mi4beXiOUu
MD5:	1D09BEE1FB55A173F7EB39B9A662A170
SHA1:	C77F0A148262A91679F19689E4790B754D45D5D5
SHA-256:	6BB092552A398687119F6D52145F04BF8373977446D8F00C0DCBD56B96829F0F
SHA-512:	BE5A31A6135E8DB024A8B0EB20C4D8EECBF76861F83FF83B4CA97327DB74AD94BB5D77B4E0A59A33B697C32A4EACD61B8C878951F2C545385C74D99FCE56FEE1
Malicious:	false
Preview:	<.d....!..`.......daB.....%.....m.0T......Uj....V.`....................k.B<s.....B\>..........6.+.s...............t.....D ....\|.k.N...9...I...O..2.......G....B...N...O..............!..K...._..........GN...........@.K.H.............pN..............>.....~.....m..%c.....z.q....i..........U.n.a.v.n.g.i.v.e.t..........Untitled.....QHelp.....D.K.a.n. .i.k.k.e. .k.o.p.i.e.r.e. .s.a.m.l.i.n.g.s.f.i.l.e.n.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....6.K.a.n. .i.k.k.e. .o.p.r.e.t.t.e. .m.a.p.p.e.n.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....V.K.a.n. .i.k.k.e. .o.p.r.e.t.t.e. .i.n.d.e.k.s.t.a.b.e.l.l.e.r. .i. .f.i.l.e.n. .%.1...........&Cannot create index tables in file %1......QHelpCollectionHandler.....J.K.a.n. .i.k.k.e. .o.p.r.e.t.t.e. .t.a.b.e.l.l.e.r. .i. .f.i.l.e.n. .%.1........... Cannot create tables in file %1......QHelpCollectionHandler.....P.K.a.n. .i.k.k.e. .i.n.d.l...s.e. .s.q.l.i.t.e.-.d.a.t.a.b.a.s.e.-.d.r

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_de.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7570
Entropy (8bit):	4.550982634910665
Encrypted:	false
SSDEEP:	96:8y/gPmmhL/7LlSivP6kBL7jb0RNUzzpld4UGG3Ik18fLP0L7fGc0OeVP8a8hiAwj:1OD7hx/Bv3oNuFX4iqgv34fZsu
MD5:	3B070D169E3381E2FB081172934AAD00
SHA1:	70886EB7EF566B296D0814BD4C2440AC176699D6
SHA-256:	9962523FBAE9F1E4C3B5C3C16860D059291CB30DC5EBE5A5EDA4C836A03FED1E
SHA-512:	271B730B5A7358E923BBBC6FA074A72DA52FA47E3B7726779EF7034200EDA09BF0E1AE4E7B11B59F76805F48DC285F6EFC245EB9C7F4A748BE82B25CEE1DDCAE
Malicious:	false
Preview:	<.d....!..`.......deB..........B.%.....5.0T......K:^.....Uj....?.`.....f..YJ...V.E.4...............>............B<s...z.B\>...\........+.s...Q.zq....C..9....4..vR...B..@.......@.......:......8Z......g.N......F....>...........t.....D ......k.N.......I......^....\|.`#....I..2....<..G....^...N.........................;..........K....y..........GN......NO...........,.K.H.............pN......V...................."..........>.............~........%c.....z.q....i........".F.i.l.t.e.r. .h.i.n.z.u.f...g.e.n..........Add Filter.....FilterNameDialogClass.....".N.a.m.e. .d.e.s. .F.i.l.t.e.r.s.:..........Filter Name:.....FilterNameDialogClass.......O.h.n.e. .T.i.t.e.l..........Untitled.....QHelp.....\.D.i.e. .K.a.t.a.l.o.g.d.a.t.e.i. .k.a.n.n. .n.i.c.h.t. .k.o.p.i.e.r.t. .w.e.r.d.e.n.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....\.D.a.s. .V.e.r.z.e.i.c.h.n.i.s. .k.a.n.n. .n.i.c.h.t. .a.n.g.e.l.e.g.t. .w.e.r.d.e.n.:. .%.1..........Cannot create directory: %

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_en.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:j2wZC4n:CwZ
MD5:	BCEBCF42735C6849BDECBB77451021DD
SHA1:	4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
SHA-256:	9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
SHA-512:	F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
Malicious:	false
Preview:	<.d....!..`...

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_es.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10704
Entropy (8bit):	4.481291573289571
Encrypted:	false
SSDEEP:	192:q9J9j7e4BQhD0h61nnKz+DJF/45ojDU9V1Wa/rmtIBMH:Wp64ShDnnKz+FhjQpWa/ytoMH
MD5:	9EDF433AB9EE5FC7CF7782370150B26A
SHA1:	A918AE15A0DF187C7789BE8599A80E279F039964
SHA-256:	FD16B279F8CF69077F75E94D90C9C07A2AFFF3948A579E3789F5FFB5E5F4202D
SHA-512:	88245F6FBAAF603A03D7EA2341411AE040791D47C9FF110C6D6CDD8165F0A8BA7A4A0DA5CD543BBE95A4E93FE3A81E95B3664E00C11791FBCB4923E3A80ABC60
Malicious:	false
Preview:	<.d....!..`.......es_ESB...(.(.....7.0T..../.5w... C.Uj......`.......a[....0..........t..............39..........&e.........B<s...D..M^..............J..%p.O5^...I..)^...1..o>.......J..%.......#....t.....8dz..$..D ......k.N.....k.N.......n.......I..............2>....................G...#...w............!.......%..,................^............$a......6.>..........#...K...........$C.W.b....._Xn......GN...\|..~.......TH.."..!.....5.K.H..#f.........pN...j......'..P.~... .o........(....>....."<..~....c.s.>.....o.... ..z.q..........................u.h....!p.......*..e....Qi..'}......(.L.a. .r.a.z...n. .d.e. .e.s.t.o. .p.u.e.d.e. .s.e.r. .q.u.e. .l.a. .d.o.c.u.m.e.n.t.a.c.i...n. .a...n. .e.s.t... .s.i.e.n.d.o. .i.n.d.e.x.a.d.a...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.a.:..........Note:.....QCLuceneResultWidget.....2.R.e.s.u.l.t.a.d.o.s. .d.e. .l.a. .B...s.q.u.e.d.a..........Search Results.....QCLu

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_fr.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10922
Entropy (8bit):	4.459946393010639
Encrypted:	false
SSDEEP:	192:w4BIn67/WsmoB3r6M/eYlSbyE7DnvE7pcn9nPJZe7nOFovzcNn7Uhmio+2/p53I/:w4N19fq3n2c9Bucuhmi52/X3Qpam
MD5:	D520C7F85CC06C66715A2B6622BF0687
SHA1:	47292D068172FBC9DC0D9BE2F479E890A37CE138
SHA-256:	687E351C062F688AAFF6CF05218D6017B80B1A1B4238D1D30250A55EE41C5FED
SHA-512:	736B50BB64751B127300BCAFE88888A9D9A2081CBF934EDCFFEF6CEF0575505AFDF714273A97671ABB598AE3D23C8E55F7DCD632FB0AA219ED5F763768576E04
Malicious:	false
Preview:	<.d....!..`.......fr_FRB...(.(.....y.0T....K.5w...!1.Uj....*.`.......a[............5..t..............39....m.....'W.......S.B<s...d..M^.. ...........J..&`.O5^...+..)^......o>.......J..&.......$....t.....8dz..%..D ......k.N.....k.N...D...n.......I...........c..2>..........M.........G...$...w....K..................,................^............$a......6.>...c......$...K....'......%M.W.b....._Xn...j..GN......~.......TH..#..!.......K.H..$Z......,..pN..........'..P.~.....o........(....h.....#4..~......s.>...M.o....!..z.q...........p......L.........h...."^.......b..e.....i..(W......(.I.l. .e.s.t. .p.o.s.s.i.b.l.e. .q.u.e. .c.e.l.a. .s.o.i.t. .d... .a.u. .f.a.i.t. .q.u.e. .l.a. .d.o.c.u.m.e.n.t.a.t.i.o.n. .e.s.t. .e.n. .c.o.u.r.s. .d.'.i.n.d.e.x.a.t.i.o.n...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.e. .:..........Note:.....QCLuceneResultWidget.....2.R...s.u.l.t.a.t.s. .d.e. .l.a. .r.e.c.h.e.r.c.h.e.

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_gl.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10891
Entropy (8bit):	4.5087667371046205
Encrypted:	false
SSDEEP:	192:Im7gBZHx4hCTNarW6EJDvoIR765f40wqNcMi/8F/Ihon:v0fHccarW6Eh61wqNcMi/Q/won
MD5:	B62C74793741FC386332A59113E8D412
SHA1:	589CE099F2C1D92581B5CF0E17BE49A2BF0014D4
SHA-256:	7399A248609974773F60866C87B78EA7DFBC4F750313D692F7886CD763883C9F
SHA-512:	D8E1A3B3732662BA572A1387651F2625742710834BEDB41809DA47B5D23020AA1B558B64A00C10C605D1844F0544483163F4A6227CAFFA5ECDABF3BBF4E12D9B
Malicious:	false
Preview:	<.d....!..`.......gl_ESB...8.(.......0T......Uj......`.....`.a[....F..........t..............1"... S.39.......s...!.............'F.........B<s...8..MQ.. ...........J..&S.0.....x.O5Q......)Q...O..o>...{.......#...J..&.......$....t.....8dz..%..D ......k.A.....k.A.......n.......I.................."...21....................G...#...w............[...!...?...........Q...?........$a....v.6.>..........$...K...........%0._Xa......GA...n..........~.......TH..#..K.H..$M.........pA...Z......'..P.~...B.o........(..........#+..~......s.1.....o....!..z.q...e.............................. ..e....wi..((......(.A. .r.a.z...n. .d.i.s.t.o. .p.o.d.e. .s.e.r. .q.u.e. .a. .d.o.c.u.m.e.n.t.a.c.i...n. .a...n.d.a. .e.s.t.e.a. .a. .i.n.d.e.x.a.r.s.e...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.a.:..........Note:.....QCLuceneResultWidget.....*.R.e.s.u.l.t.a.d.o.s. .d.a. .p.r.o.c.u.r.a..........Search Results.....QCLucene

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_hu.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10284
Entropy (8bit):	4.674501432335502
Encrypted:	false
SSDEEP:	192:RNY+rCG3e7LBqYqYseBb/FEWBgSn62TdJgDO9esYGY3DtgGh621XlZ/8kWvIMK:4+rheHYYZdBb/pgSn62T/FeVD3DGGh62
MD5:	5A56E9E2ED6ECE3F249D1C2A7EB3B172
SHA1:	D6F079F40FBB813B0293C1D2210BAE7084092FEC
SHA-256:	70F33B569C2942F41C6D634EA6A61CB8D80EB2C7011BAD48EF6DBAE9677960D5
SHA-512:	28947128FC51791CFDBFD3958FAF9B33979DB52C90AE0159EDB01FE6032284EB37BC05187162983A0435560BCEA864B008F499CDB4CE662792599FE20A37972A
Malicious:	false
Preview:	<.d....!..`.......hu_HUB...(.(.......0T......5w......Uj......`.....4.a[....N..........t....".........39..........%..........B<s...8..M^...8..........J..$..O5^......)^...]..o>.......J..$......."N...t.....8dz..#g.D ......k.N...>.k.N.......n.......I..............2>..........a.........G...!...w.......................,................^............$a......6.>.........."...K....m......"..W.b...l._Xn...~..GN......~.......TH..!F.!.......K.H..!..........pN..........%..P.~...<.o........(.......... ...~......s.>...{.o.....c.z.q...K.......v......l.........h.... ........t..e....mi..%.....~.(.E.z. .a.m.i.a.t.t. .l.e.h.e.t.,. .h.o.g.y. .a. .d.o.k.u.m.e.n.t...c.i... .m...g. .i.n.d.e.x.e.l...s. .a.l.a.t.t. .v.a.n...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......M.e.g.j.e.g.y.z...s.:..........Note:.....QCLuceneResultWidget.....&.K.e.r.e.s...s.i. .e.r.e.d.m...n.y.e.k..........Search Results.....QCLuceneResultWidget.......A

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_it.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10612
Entropy (8bit):	4.458970627057882
Encrypted:	false
SSDEEP:	192:nRxcfy71b+myBN16cbc+w45rtlTnzo7uHp3JQJ9cVu4BJ1G82g33vOVrNL/7nEF1:RR4R/fJn9JizTgnqrNL/b0hH2K
MD5:	3639B57B463987F6DB07629253ACD8BF
SHA1:	65935A67C73F19FCF6023FB95030A5ACAF9DA21C
SHA-256:	316FE8D0815E2B4B396895BEB38EF1A40431915B5E054DF80F4C0CD556F26E4B
SHA-512:	AD7CA93D93A69F273CE80BE7F2F477543B9C5F9C7E4D7448223BFF084EA956B626D6837F22D83C5E282688B938F58C29073C4B5C6F26A797F716C14FABF9FFEE
Malicious:	false
Preview:	<.d....!..`.......it_ITB...(.(.....g.0T....y.5w... ..Uj....2.`.......a[............'..t..............39..........&..........B<s...j..M^...h......K...J..%..O5^...K..)^......o>...u...J..%.......#....t.....8dz..$..D ......k.N.....k.N.......n.......I..............2>.................o..G..."...w............-......./..,................^...'........$a......6.>..........#...K...........$..W.b....._Xn......GN......~.......TH.."n.!.....5.K.H..#"......>..pN..........&..P.~.....o.....~..(....p.....!...~....A.s.>.....o.... ..z.q..........................q.h....!0.......*..e....;i..'!......(.L.a. .c.a.u.s.a. .d.i. .c.i... .p.o.t.r.e.b.b.e. .e.s.s.e.r.e. .c.h.e. .l.'.i.n.d.i.c.i.z.z.a.z.i.o.n.e. .d.e.l.l.a. .d.o.c.u.m.e.n.t.a.z.i.o.n.e. ... .a.n.c.o.r.a. .i.n. .c.o.r.s.o...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.a.:..........Note:.....QCLuceneResultWidget.......R.i.s.u.l.t.a.t.i. .d.e.l.l.a. .r.i.c.e.r.c.

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_ja.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7917
Entropy (8bit):	5.680408580146589
Encrypted:	false
SSDEEP:	192:mP6J37GcBzRjYEPEJJGTnwfJJxb7FTPjzzZBL3/q/I53:mSVqclR5s6Tnwfb7Pj/PL3/q/w3
MD5:	1380A9352C476071BDA5A5D4FED0B6C5
SHA1:	9B737ED05F80FE5D3CD8F588CCEC16BB11DD3560
SHA-256:	AE603B2C0D434D40CDE433FFCBA65F9EE27978A9E19316007BE7FE782A5B8B47
SHA-512:	EC3D68126488C3A163898BACAF7E783217868573635182CAF511ED046B4BE1F99A71FBB24DA607CCB50EDAF70893007AAEE9A6BAAE4C1CD33465A0915AA965DA
Malicious:	false
Preview:	<.d....!..`.......jaB...(.(.....S.0T......5w....'.Uj......`.......a[............u..t............!.39.....................B<s......M^..............J...>.O5^...O..)^......o>.......J...............t...w.8dz.....D ......k.N.....k.N...H...n.......I...........i..2>...<......G......9..G....P..w............i..........,................^..........'.$a......6.>...5..........K............S.W.b...2._Xn......GN...@..~.......TH.....!.......K.H.............pN...........S.P.~.....o.....\|..(..............~....o.s.>.....o.......z.q..................@.........h.....&....... ..e.....i........@.(0.0.0.0.0.0.0n}"_.0nO\b.0L}BN.0W0f0D0j0D0_0.0K0.0W0.0~0[0.0..).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget......l..:..........Note:.....QCLuceneResultWidget......i.}"}Pg...........Search Results.....QCLuceneResultWidget.....R0.0.0.0.0.0.0n}"_.0nO\b.0L}BN.0W0f0D0j0D0_0.0.i.}"}Pg.0LN.[.Qh0jS..`'0L0B0.0~0Y0..........VThe search results may

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_ko.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	5708
Entropy (8bit):	5.698914195742074
Encrypted:	false
SSDEEP:	96:elPQHJ6L4c7LaQaFQv2QEhBL+Ejma0W40U0BzlQlcrnUSaTIdspIc18CLRSM3LBY:dHI97W1BbNz1VqqzJpoj5y5uY7OGrWFE
MD5:	CD15674A652C2BF435F7578E119182F8
SHA1:	AEA22E4A0D21396733802C7AB738DDD03737B7D6
SHA-256:	F11C64694E8E34E1D2C46C1A1D15D6BA9F2DB7B61DE4FDF54ECA5AB977C3E052
SHA-512:	88BFA112F4DBC0BFB4013CE0937E5180B4AB4A217FC8A963798C7C86532E794E4A1AD88416AE42F26A1C0631B465A5D69BFE75366E048502F5E21F4115A12F19
Malicious:	false
Preview:	<.d....!..`.......koB............%.......0T......K:^...g.Uj......`........YJ...>.E.4...........z...>..........;.B<s...K.B\>...b........+.s.....zq....[..9....F..vR......@.......@.......:....c.8Z......g.N...7..F....\|...........t.....D ......k.N.......I...m..^......`#....!..2.......G....@...N.................................X..K....{.......i..GN......NO.............K.H..........S..pN...z..V...............................>...........:.~.....i..%c.....z.q....i...s......D.0. .............Add Filter.....FilterNameDialogClass.......D.0. .t...:..........Filter Name:.....FilterNameDialogClass........... ...L..........Untitled.....QHelp.....(...L... ...\|.D. .....`. ... ...L.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....".....0...\|. .... ... ...L.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....2...\|. .%.1... ...x. .L.t...D. .... ... .................&Cannot create index tables in file %1......QHelpCollectionHandler.....,.

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_pl.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	9673
Entropy (8bit):	4.622652249027856
Encrypted:	false
SSDEEP:	192:TO/7kBL9wGu3wtCnlhLJUBB7oph+mZ18LgP:T8QnwcCnlhdvphpZ18LgP
MD5:	2B68446B69D9AA40B273D75A581D2992
SHA1:	8A09BD38998543B74E2673478EDD54FB4BBDD068
SHA-256:	CC6CB4D8C54086224672F2E49E623C8CB7C0C1CD65B8D5ECD42FC9BA3A6065BD
SHA-512:	F3A3D6A416B3411613B06FC3EE56625D4D4DE80087182AB0D0601E49314861ABEF97D11A15B4C0511911544A59FBC4A4A52F0CCF0FD43F763A76A8922D8E57B6
Malicious:	false
Preview:	<.d....!..`.......plB.....(.......0T....T.5w......Uj... R.`.......a[...............t............2.39....H......6.......n.B<s.. ...M^..._......6.O5^...F..)^......o>...............t.....D ......k.N.....k.N.../...n.......I...W..........2>...w................G.......w............&.......:..,................^...(..... ..$a....?.6.>...$..........K......W.b....._Xn......GN...Y..~......!.....*.K.H...E....."...pN...-.........P.~...}.o........(....1..~......s.>......%c.."..o.....r.z.q............................h................e.....i..#.......N.i.e.n.a.z.w.a.n.y..........Untitled.....QHelp.....P.N.i.e. .m.o.\|.n.a. .s.k.o.p.i.o.w.a... .p.l.i.k.u. .z. .k.o.l.e.k.c.j...:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....>.N.i.e. .m.o.\|.n.a. .u.t.w.o.r.z.y... .k.a.t.a.l.o.g.u.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....H.N.i.e. .m.o.\|.n.a. .u.t.w.o.r.z.y... .t.a.b.e.l. .w. .p.l.i.k.u. .%.1........... Cannot create tables in file

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_ru.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7288
Entropy (8bit):	5.297177914619657
Encrypted:	false
SSDEEP:	192:dBJjvfq7D6X68uBAzlp5W9+yBPZZZMM7vL0PXJL:JKrMEL0PXJL
MD5:	794AF445A5D7082D51BD22683449F86D
SHA1:	3A0C369872B112A1572AA17EEB814B168B225D98
SHA-256:	557B644E6DA5F1EC720EF93965617087E4D1F40B2494CC5AA524CF3796108DE7
SHA-512:	D42C870A16AEE7626BBE24886AD423895529A2F1A51AC2DBC303BC0E4EF9D3241FE894ECA3F7217AD408C8DCEE165CA4B89D84570357B0EB80340A3F72B0A846
Malicious:	false
Preview:	<.d....!..`.......ruB..........\.%.......0T......K:^.....Uj....L.`........YJ...X.E.4...............>............B<s.....B\>............+.s.....zq.......9....B..vR...L..@.......@....G..:......8Z......g.N......F....>...........t.....D ....R.k.N...E...I...W..^......`#....s..2.......G....^...N.........................K.......d..K............O..GN...b..NO.............K.H.............pN...P..V....................g..........>.............~........%c.....z.q....i........$...>.1.0.2.;.5.=.8.5. .D.8.;.L.B.@.0..........Add Filter.....FilterNameDialogClass.........<.O. .D.8.;.L.B.@.0.:..........Filter Name:.....FilterNameDialogClass.........5.7.K.<.O.=.=.K.9..........Untitled.....QHelp.....b...5. .C.4.0.;.>.A.L. .A.:.>.?.8.@.>.2.0.B.L. .D.0.9.;. .:.>.;.;.5.:.F.8.8. .A.?.@.0.2.:.8.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....<...5. .C.4.0.;.>.A.L. .A.>.7.4.0.B.L. .:.0.B.0.;.>.3.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....`

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_sk.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10388
Entropy (8bit):	4.70568613551943
Encrypted:	false
SSDEEP:	192:uPq7iBWseXKkVu4+Qv9zEJ1xGMaLNmBgJqdC6/MxIMt:LWcseV04Xv9zEoLNDJqdX/MxRt
MD5:	75C94E59F1FC5312AE25381C247AF992
SHA1:	E3E5F4582CC5FAFE6DF43644D11484861023C084
SHA-256:	F41E33E1D790BD0D3EB180F1F875BC191FE74773628F25C2CAD95E1402E66867
SHA-512:	959B8F4D57FC9728DD4804322333D1792D45A0EE85615B559E0CA3BD2DEA22E2C8C68C6482AE9425D29C819B0ED27473EDDC82EF4B6ECFFB2E2E7B56E1509B63
Malicious:	false
Preview:	<.d....!..`.......sk_SKB...8.(.......0T......Uj......`.....0.a[....8..........t..............1"......39.......s........... .....%..........B<s...6..MQ..............J..$-.0.......O5Q......)Q...;..o>...........G...J..$......."....t.....8dz..#..D ......k.A...2.k.A.......n..._...I.................. ...21..........e.........G...!...w....Y...........!...........=...Q............$a......6.>.........."...K....i......# ._Xa..."..GA..............~.......TH..!{.K.H.."7.........pA..........%..P.~.....o........(..........!...~....u.s.1.....o.......z.q...c..............................f..e....9i..&-......(.D...v.o.d.o.m. .m...~.e. .b.y.e. .t.o.,. .~.e. .d.o.k.u.m.e.n.t...c.i.a. .s.t...l.e. .n.i.e. .j.e. .z.i.n.d.e.x.o.v.a.n.....).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......P.o.z.n...m.k.a.:..........Note:.....QCLuceneResultWidget.....".V...s.l.e.d.k.y. .h.>.a.d.a.n.i.a..........Search Results.....QCLuceneResultWidg

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_sl.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10363
Entropy (8bit):	4.613473842638716
Encrypted:	false
SSDEEP:	192:vNBqTi7qBCVIQf54EslZ2Jy/L/BnmpP0bX3caK6q1B6/hgIlCCUb0:vjq2+UVT4ESZOYmpP0bX26q1I/yqCCUw
MD5:	3B0AEE27B193A8A563C5CB5C7C4FE60F
SHA1:	C94E832595EC765370553468F87C02DB7E7D138A
SHA-256:	2EC955E662407EBCD8DCDAE5AAA21E4108E0B5B0AEE0E9DB712C27072943535F
SHA-512:	EBC25C378126876F44279E23CA0CF06FC9E7D5F51AD7E3DBDABA7A50C81112EDC1C76F7FD0AF47E447A93C3593BB953A0C9C1FBBFC49494E6B29BF21655F690E
Malicious:	false
Preview:	<.d....!..`.......slB...8.(.....E.0T......Uj......`.......a[............!..t..............1"....;.39.......s....^............$........i.B<s...,..MQ..........}...J..#..0.....Z.O5Q...[..)Q......o>...............J..$I......"W...t...C.8dz..#H.D ......k.A.....k.A.......n.......I.................. P..21....................G...!...w............?...!...3...........Q...+........$a....>.6.>.........."...K...........".._Xa......GA..............~....A..TH..!I.K.H..!..........pA...>......%..P.~...>.o........(....d..... ...~......s.1.....o.......z.q.....................................e....{i..&.....z.(.R.a.z.l.o.g. .j.e. .m.o.r.d.a. .t.o.,. .d.a. .s.e. .d.o.k.u.m.e.n.t.a.c.i.j.o. .a.e. .v.e.d.n.o. .i.n.d.e.k.s.i.r.a...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......O.p.o.m.b.a.:..........Note:.....QCLuceneResultWidget.....".R.e.z.u.l.t.a.t.i. .i.s.k.a.n.j.a..........Search Results.....QCLuceneResultWidget.......R.e.

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_tr.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	4629
Entropy (8bit):	4.68793836539357
Encrypted:	false
SSDEEP:	96:BoiK0UD2wMLb7Lqlguotqbww5BLNwWjK0kHU9zuQlUVUfniqthweEIFwC18lLEGA:PXFf7pU75BWWOpcJcVqDFNz8brgyf76r
MD5:	32D6EE3D8EE6408A03E568B972F93BCB
SHA1:	582EE079DBD42000C378E0701D26405750524DBA
SHA-256:	EBDECA0CFEE7A9441DEB800BABFD97C63BC4E421DA885C55B3BD49725EBACD25
SHA-512:	24AAA30B9CB4DB82A57411FBA24A87D70D8B845AE48A6FDA633D0BE6B824B58FDD2F450C2B385F16F49E2F9C6FA0A3124FD0F28594726940F996C66F8F3216CC
Malicious:	false
Preview:	<.d....!..`.......tr_TRB.....%.....[.0T......Uj......`.....$..............L.B<s.....B\>..........4.+.s...............t.....D ......k.N...5...I......2.......G....5...N..........a...............f..K....9..........GN...........@.K.H..........q..pN...t..........>...z.~...../..%c.....z.q....i..........B.a._.l.1.k.s.1.z..........Untitled.....QHelp.....J.K.o.l.e.k.s.i.y.o.n. .d.o.s.y.a.s.1. .k.o.p.y.a.l.a.n.a.m.1.y.o.r.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....2.D.i.z.i.n. .o.l.u._.t.u.r.u.l.a.m.1.y.o.r.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....\.%.1. .d.o.s.y.a.s.1.n.d.a. .d.i.z.i.n. .t.a.b.l.o.l.a.r.1. .o.l.u._.t.u.r.u.l.a.m.1.y.o.r...........&Cannot create index tables in file %1......QHelpCollectionHandler.....N.%.1. .d.o.s.y.a.s.1.n.d.a. .t.a.b.l.o.l.a.r. .o.l.u._.t.u.r.u.l.a.m.1.y.o.r........... Cannot create tables in file %1......QHelpCollectionHandler.....P.S.q.l.i.t.e. .v.e.r.i.t.a.b.a.n.1. .s...r...c...

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_uk.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	9750
Entropy (8bit):	5.281035122342072
Encrypted:	false
SSDEEP:	192:eMp79BCN+u8hhbHbny+HJouHgei50JBSfDvbetpP/RIkT:eIhgNgBbny+phiS3SfDDetpP/RRT
MD5:	90A776917D534B65942063C319573CDC
SHA1:	5DF3B213D985A3BBDB476B37B7780D7D7DF17E41
SHA-256:	497CFC473684692EE44D7A3795E8FB2270C57069FD9EB98A615DD29AB9BE8A7C
SHA-512:	B34A019716B50CE8E1E20AC32756B3B0D5802971F7A04F4BDDE2418DA551AFB9742B79E934979DB6FAB9DAC05D7D26A3B19ABA77158321F8D9AAB08AEBBD455A
Malicious:	false
Preview:	<.d....!..`.......uk_UAB...(.(.....?.0T......5w......Uj......`.......a[...............t............K.39....u....."..........B<s...8..M^...j......y...J..!..O5^...Y..)^......o>...o...J..":...... <...t...E.8dz..!3.D ....".k.N.....k.N...d...n.......I..............2>...>......o.........G.......w............E.......e..,................^...S........$a......6.>...'...... y..K........... ..W.b....._Xn......GN...p..~.......TH...4.!.....9.K.H.............pN..........#].P.~...~.o.....N..(....b.........~......s.>.....o.....o.z.q..........................U.h.............D..e.....i..#.......(...@.8.G.8.=.>.N. .F.L.>.3.>. .<.>.6.5. .1.C.B.8. .B.5.,. .I.>. .4.>.:.C.<.5.=.B.0.F.V.O. .4.>.A.V. .V.=.4.5.:.A.C.T.B.L.A.O...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.........@.8.<.V.B.:.0.:..........Note:.....QCLuceneResultWidget.....". .5.7.C.;.L.B.0.B.8. .?.>.H.C.:.C..........Search Results.....QCLuceneResultWidget....... .5.7

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_zh_CN.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	6441
Entropy (8bit):	5.790303416386852
Encrypted:	false
SSDEEP:	192:pB37nBD4H5PCyLDxLSzJPduYx9vja/FIgH9yIFqfs:rTZ4HUAD1S1JFe/F59PFqfs
MD5:	9297A6905B8B1823BF7E318D9138A104
SHA1:	3DB992A1B3BBCAF314B7EA4A000D6334D7492A52
SHA-256:	C02AAA20923F18ADDAB520BE5CB84EFD4C723396BDC24B4C9A72D406F101C7B4
SHA-512:	01F12CEE0AE456D78942A6049E1C77F94B406C8FFB4A5944DE15E54D1C760CDBA13279530A8F29B1443D1BBC647D3AF5436AAD8C43EB3944316C48300B3827E4
Malicious:	false
Preview:	<.d....!..`.......zhB......I....L.0T......Uj......`.......a[...............t....P..@....Z.......<.........39.......s....2.................B<s......MQ..........9...J......31.....0.......O5Q......)Q...^..o>...........(...........J...V...........t.....8dz.....D ....Z.k.A.....k.A.......n.......I...........t..w................!...........o.......D...Q...E........$a......6.>...h...............%._Xa......GA..........._..TH...r.........pA.............P.~.....o.....].~.q.............~......o.....h.z.q...........H..0q....................i........2..S.u...y.`.Q.v.S.V.S..f/V.N:..e.hckcW(..}"_.0............M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget......l..............Note:.....QCLuceneResultWidget......d.}"~.g...........Search Results.....QCLuceneResultWidget.....,d.}"~.g.N_..^vN.[.et..V.N:..e.hckcW(..}"_............VThe search results may not be complete since the documentation is still being indexed!.....QCLuceneResultWidget..

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_help_zh_TW.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	9301
Entropy (8bit):	5.80411750798786
Encrypted:	false
SSDEEP:	192:4bgIXwsL78BQp4dRDP0ludqODa/wkB/tTWn5dJ6mO8IZiT9Dzz/wI3HyRWqUqS:lI/oS4dR5c/tTWn5/EZA9D/w+H8WqUqS
MD5:	47C3328D3918CF627112BB6C50E30B86
SHA1:	05705603AB3F28402A6C103E1C41DDFF21D140C0
SHA-256:	3697F1660D7F2AC9B37AC33CD1C7ECAE08ADBD26710E7E0076497CCDDC8BC830
SHA-512:	8DE1C3C5A48965CF6D8AA545DA9F0A5C00AE124F3E4153597915E7C0F4CAE1E26723270F58A47AA9FFA4AAF30E6EBA522D4EBAD27DECF17EF108E353E611980E
Malicious:	false
Preview:	<.d....!..`.......zh_TWB......I....[.%.......0T......0T......Uj......Uj....R.`.....>.a[....................g..t....7..@......................39.......s................... .........B<s.....B<s.....B\>......MQ..........[...J...]..31.....+.s...c.0.....U.O5Q......)Q...C..o>.......................J...............t...3...t.....8dz.....D ....R.D ......k.A.....k.A.....k.N...'...n.......I.......I...........[..2....x..G........N......w................!...........:...........Q...&...............$a......6.>...I.......L.......$..K......................_Xa...y..GA...O..GN...........$..........TH...I.K.H................ Y..pA...K..pN.............P.~.....o.....D.~.q......>.............~......~........%c.. ..o.....!.z.q...........#..0q....................i..!Y....(..g.S..f/V.p.N.W(^.z.e.N.v.}"_.uvN-0............M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget......P..;............Note:.....QCLuceneResultWidget......d.\.}Pg...........Sea

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_hu.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	146
Entropy (8bit):	3.6255640074603277
Encrypted:	false
SSDEEP:	3:j2wZC4C/IrLlAlHekfK/gp1MUXaMlI+rwtbWlMiayIPldkOgn:CwDrC+TYIUrIRt6HoiHn
MD5:	5A46979B45C67DD6312F33CCEA2ED7BC
SHA1:	4C56836B1FB10D9903B299CBCB925947D515B4C8
SHA-256:	BB246AABD501E14CED8B1FFC1369E3D5D26567AAE62B3EAD4D94C22FB77C3471
SHA-512:	BDBA4E1731CF254E95B0F1337410937C765E96FBB1D42F1D053033E1511FEE6F50C02705F781F4DAA0347E2299DC78A5A9942AC4EA343ED1F8F401F9ACD961E4
Malicious:	false
Preview:	<.d....!..`.......hu....v.....q.t.b.a.s.e._.h.u.....q.t.s.c.r.i.p.t._.h.u.....q.t.m.u.l.t.i.m.e.d.i.a._.h.u... .q.t.x.m.l.p.a.t.t.e.r.n.s._.h.u

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_it.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.5752972123113778
Encrypted:	false
SSDEEP:	3:j2wZC4C/EbFlAlHeke5zOp1MUWLt7KlI+rwtbWlMj5FKIPldkOA9kk:CwDM+35aIUW5SIRt6Q50oi9Gk
MD5:	2BB8C94D420D3BC344C79A01043BDC89
SHA1:	3FBA773D58E6D3699C20AB41AEE6801E71E2DDAE
SHA-256:	9117AAC2D07BC86DFA55A29B8825ED27C7093300FCC90E143E135E00E85F09D7
SHA-512:	C6B13655AFB206B0056F5656B4A9BF33CC267FCC928F6973258131CFA6443970510226FE45A041E5AA988809E17D0B11C7458F4A241C71521EDED186596C6055
Malicious:	false
Preview:	<.d....!..`.......it....v.....q.t.b.a.s.e._.i.t.....q.t.s.c.r.i.p.t._.i.t.....q.t.m.u.l.t.i.m.e.d.i.a._.i.t... .q.t.x.m.l.p.a.t.t.e.r.n.s._.i.t.......

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_ja.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	146
Entropy (8bit):	3.599979504080125
Encrypted:	false
SSDEEP:	3:j2wZC4C/il/lAlHekd6hY1MUV6JAlI+rwtbWlMgel3UlIPldkOG:Cwz4+pjUGAIRt6qVUloiB
MD5:	8A1EE3433304838CCD0EBE0A825E84D8
SHA1:	2B3476588350C5384E0F9A51FF2E3659E89B4846
SHA-256:	23457CE8E44E233C6F85D56A4EE6A2CECD87C9C7BDDE6D8B8A925902EED1CD9C
SHA-512:	2D8ACD668DF537E98B27161F9FA49828EB2EB6E9CF41DB38E7F5D31F610D150CD1B580A8AE9B472A4DFDE4D4BF983C24A56293BB911CF5879368664E4D4CF3D2
Malicious:	false
Preview:	<.d....!..`.......ja....v.....q.t.b.a.s.e._.j.a.....q.t.s.c.r.i.p.t._.j.a.....q.t.m.u.l.t.i.m.e.d.i.a._.j.a... .q.t.x.m.l.p.a.t.t.e.r.n.s._.j.a

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_ko.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	146
Entropy (8bit):	3.652277257665055
Encrypted:	false
SSDEEP:	3:j2wZC4C/rrr/lAlHekcQ/01MUUQMlI+rwtbWlMhQGlIPldkORn:CwCC+1Q/UUpIRt6SBloimn
MD5:	7B2659AF52B824EAC6C169CDD9467EE9
SHA1:	5727109218B222E3B654A8CC9933E970EB7C2118
SHA-256:	4CC1AF37E771F0A43898849CFF2CD42A820451B8D2B2E88931031629D781DB05
SHA-512:	E9475AC80BDBBEFF54F2724A2B6BA76992F18FD1913FD8EE1540A99FD7A112B79FED5A130B6AC6D7460E4420C06354FC6E4CF7770A7C6CBD3EAC1BDAF0082DE5
Malicious:	false
Preview:	<.d....!..`.......ko....v.....q.t.b.a.s.e._.k.o.....q.t.s.c.r.i.p.t._.k.o.....q.t.m.u.l.t.i.m.e.d.i.a._.k.o... .q.t.x.m.l.p.a.t.t.e.r.n.s._.k.o

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_lt.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	165383
Entropy (8bit):	4.805977227348512
Encrypted:	false
SSDEEP:	1536:i5v3+zmayloj6yJjhnBAbnrKnGrhA7WgdXclIsooY9i:SvOzAloj6yJ9BA7riGr+7WKXc+s5ui
MD5:	8992B652D1499F5D2F12674F3F875A35
SHA1:	E22766A49612F79156C550D83C6C230345DDA433
SHA-256:	47EB5F97467DF769261421D54A5BEA1131C9FB9B6388791D38BB6574335B64BF
SHA-512:	9B8B6DBFF432F2A46C14BC183A6BAF84ACBF02BF2C5BB8C306C6538FBD9BE1C0A9015BD46728F2F652F9163AFC56B1E16D16EB95D8F7728F3C562AE9F4F1AE1E
Malicious:	false
Preview:	<.d....!..`.......ltB..0X.....)C...+...\|......P....@..9....A..9....B..:....C..:....D..;....E..;....F..<6...G..<....H..=)...I..=....P..>q...Q..>....R..?....S..@f...T..@....U..A\...V..B....W..B....X..C....Y..Cy...]..k....t..........t>......th......t.......pd...;..J'...;.._h...;.......;...{...;..J....;...)...M..l....O...R...O...............}..l9...m..lo......^S..(5..P{..+;..4...+;......+;......+O..4...+O......1...^...E@..?p..F...C...H4......HY......H.......I...D...I@..s...IA..t...IC...2..J.......J....Y..J.......J.......K...9...LD...`..L.......PS......R.......T...q...Zr...`..[`......[`..&@..\....e..\....b.._......._....P..1........E..........5........L..1...O...1...PP......7......../...........$.......$.......,.......y.......y..........K^..............x......8................L...E.......E.......E......................%..:....%.........0U.....W......Zo.....^....5.......0..I....0...F...0...\|...0.......0.......0..+\...5...}.......... D...g.. D......+....j..,.......,.......<U...+..<U

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_lv.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.156834975253888
Encrypted:	false
SSDEEP:	3:j2wZC4C/HzllldQlHekbxplUp1MUTJ+b:Cwv+DIUEb
MD5:	19F1B919BB531E9E12E7F707BEBD8497
SHA1:	46E82683CEA28D877C73A5CE02F965BB1130FC62
SHA-256:	03467738042A15676E504BA02CB326DCDB773B171FADA3CD62B7A0E0564314A0
SHA-512:	901D7B26CAC7A4D0FFDB39A1D25767B5BC71BED4AFBE788D70BF19D4C58A8295167111675AB45E743FDF4768AF874D69417414C01CF23D5C525A3F6C8BF7D21F
Malicious:	false
Preview:	<.d....!..`.......lv....0.....q.t.b.a.s.e._.l.v.....q.t.s.c.r.i.p.t._.l.v........)....

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_pl.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	161
Entropy (8bit):	3.8693516202048612
Encrypted:	false
SSDEEP:	3:j2wZC4C/5J/p/lAlHekHp/7KlI+rwtbWlM6Tl/z21MUPp/FOlIPldkOjehB:Cwr+26IRt6nFURkloiT
MD5:	D71EA9FEFD97464B178235150EC8759E
SHA1:	61026FE602FD1B8B442A0D341C6BD759EEC75488
SHA-256:	BD7DD0C2CAB119A973DC10C3BFF7499D9728B928B541F86056921B30C8DB78E6
SHA-512:	ECD76A7D8B8D733E635B2BFEA90A4CD387B83D9D8A4EB6D299F59FF22AAA8D617A4C886A825A1CDDD901925C7839E2C18BDD4E0CD84152641922B66B62663F77
Malicious:	false
Preview:	<.d....!..`.......pl....v.....q.t.b.a.s.e._.p.l.....q.t.m.u.l.t.i.m.e.d.i.a._.p.l.....q.t.s.c.r.i.p.t._.p.l... .q.t.x.m.l.p.a.t.t.e.r.n.s._.p.l............,..

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_pt.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	70334
Entropy (8bit):	4.732724622610353
Encrypted:	false
SSDEEP:	768:OKGUuWW+WHjS0gMBd483+Y7bDPs4RHBloLUIltlzAJnx4nnliM1OPlOibLG:JGUuWPuSgm0Jn+n4Mhj
MD5:	6656500F7A28EF820AE9F97FD47FB5BB
SHA1:	CC112B9C9513BCF7497F3417168B4C8A9F7640A9
SHA-256:	2C1E7BBF5168A64B43752DD4C547601C0BDE6D610F8671FA3E3AF38597E84783
SHA-512:	5C3CBFCF86AF6B4D949C1D914CD379E512E73BA350AF661033A386EE7FB981FBFCB43D9A35FDE7656E17BB09F64F1469F84867A780573C3359D645269461D5A6
Malicious:	false
Preview:	<.d....!..`.......pt_PTB...(......9...+...e...]..6....;.......;..-....;..;`...;..};...;.......M..6....O... ...O...w...........}..7....m..7B..........+;......+;..8S..+;..>...+O......+O..8#..H4......H.......J......K.......LD...)..L....}..PS...l..Zr...B..[`...;..[`.....\...kU.._......._.......1...?...............8...............E............,..................p........0...............v...........%...O...%..G........4...0.......0..:....0..y....0..\|....0.......0...X...5.......5...... D..=... D..Kn..+....L..,...>...,......<U..z...<U......<.......F...>...F.......H5...4..H5..=...H5..K...H5......f....p..f...1...f...;...f...I...f...\|H..f.......f.......l....................b......<...............>.......L ...........`......`..._.......A......2....e...g...e..>D...e..LW................y...,..y......y..o...y......T..L...0..'..*.0....+F...y..+F......+f......+f...C..+.z..0..+.....d.+....p0.+.....R.+.z..0U.+.....u.+....8..+....Ct.+....L..+....y..+.....Z.+......+...pc.+.....+....0..

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_ru.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	164
Entropy (8bit):	3.984562388316898
Encrypted:	false
SSDEEP:	3:j2wZC4C/oZlAlHekF8Op1MUNKJKlI+rwtbWlM4KKIPldkOSxRMugB:CwY+GIUgcIRt61oihM3
MD5:	F7A8C75408B9A34A2B185E76F51B7B85
SHA1:	065E987139C5FB809A6F9CDF3845BCD79707FDBB
SHA-256:	6492B267608C6FB76907BD8FCFC8F1EF57E9F4EBBC2E81ACA81715A88388F94A
SHA-512:	E768C5B438EC899801B22B1325F2244ACCC5E7C2EC5D270F510BC3CBC2D9A0536949C026DB7FB5862835E506A9F2020DEB2CC4001E7011FF974324542734F855
Malicious:	false
Preview:	<.d....!..`.......ru....v.....q.t.b.a.s.e._.r.u.....q.t.s.c.r.i.p.t._.r.u.....q.t.m.u.l.t.i.m.e.d.i.a._.r.u... .q.t.x.m.l.p.a.t.t.e.r.n.s._.r.u........)......,..

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_sk.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	157
Entropy (8bit):	3.7731953311404336
Encrypted:	false
SSDEEP:	3:j2wZC4C/3xRlAlHekE8lgp1MUM8lMlI+rwtbWlM5UllyIPldkOfll6kchn:CwS0+t8CIUM86IRt6KUlsoi2CVh
MD5:	24C179481B5EF574F33E983A62A34D53
SHA1:	0A67F1ED8CA4A5182F504806F8D47D499789F2D2
SHA-256:	B6ADFFD889FF96BF195CB997327E7D7005A815CAD67823FA6915A19C2D9BB668
SHA-512:	4757F3693120DAB2FBB7BCF1734EA20B3E3D9056B4B4E934A3129D660CFDC6C58B230459DB55912AF24AD5692BD221830BE0FF91E41D3EECD9439E79AC23FFE6
Malicious:	false
Preview:	<.d....!..`.......sk....v.....q.t.b.a.s.e._.s.k.....q.t.s.c.r.i.p.t._.s.k.....q.t.m.u.l.t.i.m.e.d.i.a._.s.k... .q.t.x.m.l.p.a.t.t.e.r.n.s._.s.k...........

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_sl.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	228428
Entropy (8bit):	4.726953418955661
Encrypted:	false
SSDEEP:	3072:9zQH0hOtgmiAZu0eeAEv+v49JnnSmICgr3n7jhCQUeinqyU5UggtRLGrQ2LZO+Y1:RpUsSpGr36wsR
MD5:	D35A0FE35476BE8BD149CEE46E42B5E9
SHA1:	9F3C85C115A283E5230D1EEAD84C8CB73A71FA03
SHA-256:	C44E0313A9414CC0E490B65B0C036FA11BCA959353B228886547BC2C8492034F
SHA-512:	BEEB1751882AF081E80BE93F7464D4C6322B724EFA2CBD3E1CBE709181D380C1C57E770FA962BB706D6FCF4A8CB393E3F6E187C1F604F8CEEFB201CA3200BD1C
Malicious:	false
Preview:	<.d....!..`.......slB..<....*.......+.......@...C...A.......B...<...C.......D...2...E.......F...d...G.......H...W...I.......P.......Q.......R.......S...x...T.......U...n...V...%...W.......X.......Y.......]..g~...t...V.......f..................................;..G....;..[....;...q...;..ia...;... ...M..g....O.......O.......[..,e...........}..g....m..h........Q..(5......+;..2...+;...b..+;...i..+O..2...+O...4..1......E@......F.......H4......HY...%..H.......I.......I@......IA...9..IC......J...6...J.......J.......J...^...K...7...LD......L....n..PS...U..R.......T....=..Zr......[`...V..[`......\...!,..\...8U.._..."b.._.../h..1.......E...9......4...............5........e...................$...<...$..Z....[.......,.......y...L...y..].......H.......@.......J.......6........~..........E...O...E..+....E...~..............,1...%..8r...%...........^..............................5.......0..Gx...0.......0..P....0..h....0.......0.......5...^.......... D...... D......+....`..,.......,...-...<U

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_sv.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	65851
Entropy (8bit):	4.7906769989650515
Encrypted:	false
SSDEEP:	1536:4u6DkpgyKmRmG15mGM6iFPi6Q/qTlOQZY2dKN8gKw:4u6DotUG1sGMZPi6Q/qTlO2Y2YKw
MD5:	0E85E0E0E7DDFE3D4BDE302F27047F9C
SHA1:	AE59348E0C2E4F86F99DA6CF5DAB3B7E92504B7C
SHA-256:	4B4B6FF7FD237C9DA0301B4946132E68653D15EB5FAF38E4C5FBFEBB12DD97F7
SHA-512:	8CAAB6C61E9FA26A3A289A9E4DC515D157B3092D6D4ED43861220261BD2B7CC79B35B52F9ADE4EF558B5385B37EAC14575420DD55C475F435BB95B6C1E2561B6
Malicious:	false
Preview:	<.d....!..`...B..............+...i...]..6....;.......;..-f...;..:;...;..t....;.......M..64...O.......O...........q...}..6\...m..6........(..+;......+;..7...+;..=...+O......+O..7c..H4......H.......J.......K....F..LD...+..L.......PS...N..Zr......[`...7..[`...N..\...h4.._....J.._....k..1...>...............7........}......D............,.................i....................................%.......%..Fc.......6...0.......0..9....0..q....0..t....0.......0.......5.......5...... D..<}.. D..I...+.......,...=X..,.......<U..r...<U...n..<.......F...=...F....F..H5......H5..<...H5..J4..H5......f.......f...1V..f...:f..f...H;..f...t&..f.......f.......l..................8......;z..............<.......Je.......6...`...&...`...!.......9......1....e.......e..=....e..J..............g...y......y.../..y..h...y......T..J...0..'[..0...K.+F...q..+F.....+f......+f...A..+.z../..+.......+....i`.+.....X.+.z../..+.....S.+....7..+....Bi.+....K..+....q..+.......+......+...i..+.....+....0..F0i.....G.

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_tr.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	110
Entropy (8bit):	3.630483009136986
Encrypted:	false
SSDEEP:	3:j2wZC4C/7zl9lAlHekDN/01MULV4LlI+rwtbWlM+N:Cw5+wUGRIRt6n
MD5:	16CDF5B9D48B0F795D532A0D07F5C3A0
SHA1:	6E403C9096B3051973E2B681DFEBBC8DD024830D
SHA-256:	F574A2CFD4715885C3DBDF5AE60995252673BD94FDAA9586F7E0586F6C1AC0EE
SHA-512:	36A0431368010157EA8A45DCB00458076CCFFC08B37E443DEBD1AAD4A30C6080803337725A7A3DCBF2B410DC7BE89CEAF6C07C46F876E4EF5B08159E3BF38E6D
Malicious:	false
Preview:	<.d....!..`.......tr....R.....q.t.b.a.s.e._.t.r.....q.t.s.c.r.i.p.t._.t.r.....q.t.m.u.l.t.i.m.e.d.i.a._.t.r

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_uk.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	164
Entropy (8bit):	4.021402900389864
Encrypted:	false
SSDEEP:	3:j2wZC4C/ZlRlAlHekCczOp1MUKUt7KlI+rwtbWlM/cFKIPldkONRMugB:CwUl0+rjIUKUcIRt6M/oioM3
MD5:	9B101363343847FE42167183320C03F0
SHA1:	F0DF2CFF913E588B7CADFDABBF69F4F632B2F96A
SHA-256:	F1621E680E1642F9463E4B07E7E78B50F9A7BDB7C321D7302039CB3405CBDEA4
SHA-512:	DA14FDF8DB514902733CAAC492293873351C595EBBE0ACB0849BECE24AB822602EE64D01051F1426CD1FC13A95D8607302CF9B515D9806FDD3BD047087DE447C
Malicious:	false
Preview:	<.d....!..`.......uk....v.....q.t.b.a.s.e._.u.k.....q.t.s.c.r.i.p.t._.u.k.....q.t.m.u.l.t.i.m.e.d.i.a._.u.k... .q.t.x.m.l.p.a.t.t.e.r.n.s._.u.k........)......,..

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_zh_CN.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	117347
Entropy (8bit):	5.8593733369029195
Encrypted:	false
SSDEEP:	1536:51dXW89nqEFu54aekvRzHHSVuf8j2+/xc3lhnbsfdAoz/w:v9qEFeLekvRznSVHJG3lhn+djY
MD5:	0D02F0DE5A12BCB338B7042DFBDAACF3
SHA1:	B7C10D249D8986AD8C6939B370407D07227A39F5
SHA-256:	28CDE75D7B32C81FEF1D4630C37B79A61DEC24B357632FF00D6365A57D8BE43B
SHA-512:	21F02EBA36B4411921EA3C70310B8E454E8FC2B8F09957FD6A63B71689DC381F7A5E2C3BDF2810734D659AB43D8A7BD46EF6436ECC52F75C71B5F5C313365444
Malicious:	false
Preview:	<.d....!..`.......zhB..+...........+.......@.......A...8...B.......C.......D.......E...V...F.......G...L...H.......I...9...P.......Q...e...R...^...S.......T...T...U.......V...\|...W.......X...o...Y.......]..4 ...;...2...;..,....;..8....;.......;.......M..4H...O.......O...........#...}..4p...m..4........N..(5......+;...f..+;..6Y..+;..<...+O...8..+O..6'..1......E@......F....Y..H4..."..HY..J...H.......I.......J.......J.......K....5..LD..._..L......PS...V..Q....6..R...N...W..../..Zr.....[`.....[`......\...lU.._......._....L..1...<........j......6...............B........I...$..K....$.......,...g...y...3.......A......r...........................9..L7......;w...E..5b...E...G.......5...%.......%..D........`..............................0.......0..8W...0..}y...0...6...0.......0.......5.......5...... D..:... D..J...+....R..,...;...,......<U..~...<U......<......F...;...F......H5...i..H5..:...H5..Jk..H5...w..VE...[..f....u..f...0X..f...9...f...E...f.......f.......f....j..g....A..l.

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qt_zh_TW.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	141
Entropy (8bit):	3.7198292994386235
Encrypted:	false
SSDEEP:	3:j2wZC4C/0N6xg/Rl/gl+kNXDelHrwtbWlMwTolIPldkOfDn:CwOO2+g6Mt63oloiUn
MD5:	ED4135D705AEF3D97F8BF6B8FF11F09C
SHA1:	308E2B8F74B863A61AD0B68F4A18ED06965EBEAA
SHA-256:	751ECDA0C33E061D91241268357FBD2F6B7F70A1116E714F28D22EFD61EC7A1A
SHA-512:	B6E6D00553A9C427130129B9D30E862028E549F372A832F0F05747C8E2A79E443F4932EC3AE177537C8BA00D26B5B6CB97D5B35426AB5229F6A468CA485BE0B1
Malicious:	false
Preview:	<.d....!..`.......zh_TW....n.....q.t.b.a.s.e._.z.h._.T.W...$.q.t.m.u.l.t.i.m.e.d.i.a._.z.h._.T.W...&.q.t.x.m.l.p.a.t.t.e.r.n.s._.z.h._.T.W

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_ar.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	160017
Entropy (8bit):	5.35627970915292
Encrypted:	false
SSDEEP:	1536:XGlAMfkX1M0RdaCkR8lfv8vtc8EFrVYA2I4AJZWEWgHg1C8COvzHKHC6Jp9NV0V7:XUr0RACkIwDEpV1Lgf1ubtw3Bb
MD5:	A7E4D0BA0FC5DF07F62CC66EC9878979
SHA1:	21FD131B23BDD1BBA7BBB86F3ED5C83876F45638
SHA-256:	E03FE68D83201543698FD7FE267DD5DFC5BFD195147E74FF2F19AC3491401263
SHA-512:	D9E6B10506FCF20B5B783F011908083D9DF6C5DF88E21B10D07F53A01AD6506A4B921C85335A25BAE54E27BAD7D01B6E240D58FDEEAABC7FF32014EC120C2ECF
Malicious:	false
Preview:	<.d....!..`.......arB..2....*.......+.......@.......A.......B..._...C......D.......E......F.......G... ...H...D...I...h...P...C...Q...g...R......S.......T.......U.......V...x...W......X.......Y.......]..'=...s......t...........]...........;..'....;..(....;.......;.......M..'e...O.......O...9...........}..'........C...=......m..'....t..........!o..(5...Z..+;..5u..+;..c...+O......1...!...D@...8..E@.....H4...,..HY..QI..H.......IC......J....1..J.......J.......LD......L.......PS......QR...R..R...V2..T.......U....]..X.......Zr.....[`......\....t..]x......_......._.......yg......1...6....E..8V..............C............................$..RN...[...0...,.......y.......y...................K...........9..R....E.."............z.......................%..F;...D...[..................................!....5.......0...I...0.......0...5...0..#....5.......5...p..............W}.. D..(... D..P=..+.......<U......<U......<.......H5..(...H5..P...L.......VE......VE......V....B..f...JJ..f.......f.

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_bg.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	165337
Entropy (8bit):	5.332219158085151
Encrypted:	false
SSDEEP:	1536:9ULiyUxPoT6qx+J7FJlaaMJnxjqxq+0Uiff0mbVeb7wiEwYuYqDKBkKHMXHCIMll:9ULpIVFnpwUiEujw27ncUQUz
MD5:	660413AD666A6B31A1ACF8F216781D6E
SHA1:	654409CDF3F551555957D3DBCF8D6A0D8F03A6C5
SHA-256:	E448AC9E3F16C29EB27AF3012EFE21052DAA78FABFB34CD6DFF2F69EE3BD3CDB
SHA-512:	C6AE4B784C3D302D7EC6B9CE7B27DDAF00713ADF233F1246CD0475697A59C84D6A86BAA1005283B1F89FCC0835FD131E5CF07B3534B66A0A0AA6AC6356006B8F
Malicious:	false
Preview:	<.d....!..`.......bg_BGB../......,....+..."...@...]...A.......B.......C.......D...P...E...!...F.......G.......H.......I.......P.......Q.......R...A...S...e...T.......U.......V.......W...1...X...U...Y...y...]..,....s...,...t...................P...;..+....;..-E...;..!....;..+....M..,Y...O...,...O..............}..,............=...Q...m..,....t...\|......>...(5..1...+;..<...+;..o...+O...r..1...>...D@......E@......H4......HY..[...H.......IC......J....E..J....X..J.......LD......L....L..PS......QR.."...R...`...T....X..U.......X.......Zr...q..[`...`..\.......]x......_......._....T..yg.....1...=....E..?...............L(.......(...............'...$..\....[.......,...I...y...!...y...................S...........9..]%...E..5p...........z..!q...................%..O....D..................D.....8......:......?....5...&...0.......0.. ....0...c...0..5....5.......5..................b:.. D..-... D..Z...+.......<U......<U...0..<.......H5..-...H5..[...L.......VE..#a..VE..;...V.......f...T...f...!..

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_ca.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	210159
Entropy (8bit):	4.666388181115542
Encrypted:	false
SSDEEP:	3072:P/DVhdlafzvZfeW+6kXEVjSVPzC3ceKdP2:xYf7UW+WjwP2
MD5:	B383F6D4B9EEA51C065E73ECB95BBD23
SHA1:	DD6C2C4B4888B0D14CEBFC86F471D0FC9B07FE42
SHA-256:	52E94FCC9490889B55812C5433D009B44BDC2DC3170EB55B1AF444EF4AAE1D7F
SHA-512:	9401940A170E22CE6515E3C1453C563D93869A3C3686C859491A1F8795520B61BF3F0BFE4687A7380C0CC0C75E25559354FDB5CEF916AF4C5B6CD9661464A54A
Malicious:	false
Preview:	<.d....!..`.......caB..7....*.......+.../...@..:P...A..:t...B..:....C..:....D..;=...E..<....F..<Z...G..<~...H..<....I..<....P..>....Q..>....R..?....S..?R...T..?v...U..?....V..?....W..@....X..@<...Y..@`...]../....s..1....t..........2s......#p...;.......;../....;..W....;..e+...M../3...O.......O..9.......J....}../]......8....=..9....m../....t..9Y.......S..(5..lB..+;.._...+;...=..+O..U...1.......D@..:...E@..?...H4...J..HY..~...H..."...IC...0..J....W..J....0..J.......LD..!...L...!f..PS..)...QR.."...R.......T...9~..U...9...U...z...X...>...Zr..E...[`...e..\...LD..]x..7U.._......._...M...yg..f...1...a....E..c....7.........U.......p........b.......4.......K...$.......[.......,.......y.......y...................^...........9...:...E...s...... (...z..":.......d......!....%..tQ...D.."......."......2......ve.....y...........5..#H...0...\...0..W+...0..';...0.......5..(....5..........)s.......... D..0w.. D..}...+...1...<?..5x..<U......<U..5...<...6@..H5..0...H5..~...L...9...VE..$...V...SV..f.

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_cs.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	174701
Entropy (8bit):	4.87192387061682
Encrypted:	false
SSDEEP:	3072:5WjuhX0CVRaakGjW9E8SSOQfX/JlwVOMxrboRPqWxXfQvO7zjBf:5iFGj1QfXr8Gd
MD5:	C57D0DE9D8458A5BEB2114E47B0FDE47
SHA1:	3A0E777539C51BB65EE76B8E1D8DCE4386CBC886
SHA-256:	03028B42DF5479270371E4C3BDC7DF2F56CBBE6DDA956A2864AC6F6415861FE8
SHA-512:	F7970C132064407752C3D42705376FE04FACAFD2CFE1021E615182555F7BA82E7970EDF5D14359F9D5CA69D4D570AA9DDC46D48CE787CFF13D305341A3E4AF79
Malicious:	false
Preview:	<.d....!..`.......cs_CZB..3p.....F....+.......@..!....@..Ef...A..!....A..E....B.."1...B..E....C.."U...C..E....D.."....D..F....E..#p...E..F)...F..#....F..FP...G..#....G..Fw...H..$....H..F....I..$6...I..F....P..&%...P..Gr...Q..&I...Q..G....R..&....R..G....S..&....S..H....T..&....T..H8...U..'....U..H_...V..'Z...V..H....W..'~...W..H....X..'....X..H....Y..'....Y..H....]..,....]..,....s.......t...9..................;.......;..+....;..1B...;......;..?x...;..N....;..iY...;..s3...M..,B...M..,....O.......O...w...O..rr...........}..,j...}..-....... 5...=.. ....m..,....m..-8...t.. .......ay..(5..TT..+;...A..+;..B...+;..u...+O......+O..=a..1...a...D@.."...E@..&m..E@..G...F...J...H4...=..HY..`...H.......I...J...IC......J....-..J.......J.......LD......L....(..PS.....QR.."S..R...e...T.... ..U......X.......Zr...g..[`......\......]x......_......._......._...v...yg......1...C....E..E...............=.......Q........................s...$..a....[.......,.......y.......y...y..............G..........

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_da.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	181387
Entropy (8bit):	4.755193800761075
Encrypted:	false
SSDEEP:	3072:XzswP2UvZ5aZ9jFTkmq/gnBNW/+PcWrqm2Vliz0DGdaS4KSLZjwTTgwUR0toT:j3m27AjCT
MD5:	859CE522A233AF31ED8D32822DA7755B
SHA1:	70B19B2A6914DA7D629F577F8987553713CD5D3F
SHA-256:	7D1E5CA3310B54D104C19BF2ABD402B38E584E87039A70E153C4A9AF74B25C22
SHA-512:	F9FAA5A19C2FD99CCD03151B7BE5DDA613E9C69678C028CDF678ADB176C23C7DE9EB846CF915BC3CC67ABD5D62D9CD483A5F47A57D5E6BB2F2053563D62E1EF5
Malicious:	false
Preview:	<.d....!..`.......daB..4......h....+......@...f...A.......B.......C.......D...U...E.......F...v...G.......H.......I.......P.......Q.......R...6...S...Z...T...~...U.......V.......W..."...X...F...Y...j...]..+....s.......t..................-...;..+....;..,....;../....;..;....M..+....O.......O...r...........}..,............=...8...m..,0...t...c......T...(5..B...+;..NH..+;..~H..+O..,...1...UP..D@......E@......H4...E..HY..j...H.......IC...#..J....J..J.......J.......LD......L....1..PS...B..QR......R...o...T.......U.......X.......Zr......[`...W..\....}..]x...[.._....-.._.......yg...e..1...O....E..R....7..........-!......]............................$..k....[...7...,.......y...c...y.................j4...........9..l8...E..p............z...;..................%..a....D...~.............-.....L......OH.....Uz...5.......0.......0...U...0.......0..p....5...7...5..L$..............p... D..-... D..i...+....@..<U.....<U.....<....S..H5..-2..H5..j$..L....B..VE.. ...VE..P...V......f...e...f.

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_de.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	220467
Entropy (8bit):	4.626295310482312
Encrypted:	false
SSDEEP:	3072:7w8go8+ph6JVB8XVXYWpSNEeg8+vaD+p4N8DDiEKugwGZulh15ce4M+4NsPYXCZW:88h8Sj286tTiDD
MD5:	40760A3456C9C8ABE6EA90336AF5DA01
SHA1:	B249AA1CBF8C2636CE57EB4932D53492E4CE36AC
SHA-256:	553C046835DB9ADEF15954FA9A576625366BA8BFD16637038C4BCD28E5EBACE1
SHA-512:	068E55F39B5250CC937E4B2BD627873132D201D351B9351BE703CD9B95D3BAFB4BD649CB4DF120A976D7C156DA679758D952CAC5E0523107244E517D323BC0C5
Malicious:	false
Preview:	<.d....!..`.......de_DEB..7....*.......+..3....@..R....A..R....B..S....C..S@...D..S....E..T]...F..T....G..T....H..T....I..U#...P..W....Q..W6...R..W....S..W....T..W....U..W....V..XG...W..Xk...X..X....Y..X....]..2%...s..J$...t..9R......J.......B....;..1....;..3....;..q....;.......M..2O...O.......O..X@......ia...}..2y......Q....=..Q....m..2....t..Q...........(5......+;..ev..+;......+O..oh..1....4..D@..R...E@..WZ..H4..4...HY...[..H...AY..IC..>o..J...>...J.......J...>6..LD..@A..L...@...PS..I...QR..#...R....h..T...W...U...Xh..U....~..X...]...Zr..e(..[`..)...\...j...]x..O..._....K.._...lI..yg...U..1...f....E..i....7..........o.......wG......6.......6.......8....$...n...[..8....,..9....y.......y..=................3......>....9.......E..."......?_...z..#d.......0......A%...%..z....D..A.......B......KP......2.............^...5..B....0.......0..p....0..F....0...}...5..G....5..........H........... D..3}.. D...O..+...Q...<?..Ti..<U......<U..T...<...U)..H5..3...H5......L...X...VE..%j..V...l..

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_en.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:j2wZC4n:CwZ
MD5:	BCEBCF42735C6849BDECBB77451021DD
SHA1:	4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
SHA-256:	9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
SHA-512:	F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
Malicious:	false
Preview:	<.d....!..`...

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_es.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	165170
Entropy (8bit):	4.679910767547088
Encrypted:	false
SSDEEP:	1536:JVwzuvb+Ta64KQd84arHX5pxiVhA8QlOD/BnFNa8NsvsfFsfcoZtIx6F:JVwSTG4KqVaLX5pEVK7OJFczstgRtIx8
MD5:	C7C58A6D683797BFDD3EF676A37E2A40
SHA1:	809E580CDBF2FFDA10C77F8BE9BAC081978C102B
SHA-256:	4FFDA56BA3BB5414AB0482D1DDE64A6F226E3488F6B7F3F11A150E01F53FA4C8
SHA-512:	C5AED1A1AA13B8E794C83739B7FDDEAFD96785655C287993469F39607C8B9B0D2D8D222ECD1C13CF8445E623B195192F64DE373A8FB6FE43743BAF50E153CDA5
Malicious:	false
Preview:	<.d....!..`.......es_ESB../......,...+...y...@.......A.......B.......C.......D...v...E...=...F.......G.......H.......I.......P.......Q... ...R...k...S.......T.......U.......V...1...W...U...X...y...Y.......]..+....s.......t...................c...;..+....;..,....;...%...;..#....;..-....M..+....O.......O...............}..,............=...]...m..,/...t..........A...(5..3...+;..<...+;..o...+O..!b..1...Ap..D@......E@...D..H4...-..HY..[F..H.......IC...%..J....L..J.......J.......LD......L....O..PS......QR..!...R...`K..T.......U....&..X.......Zr.....[`...h..\......]x...\|.._....Y.._....A..yg......1...=....E..?a......!.......K........G...............R...$..\Q...[.......,...z...y.......y..................+............9..\....E..2............z.. ....................%..ON...D........................:......=B.....A....5...7...0.......0......0.."....0...,...0..3....5...}...5...Y..............a... D..-!.. D..Z6..+....0..<U...h..<U......<.......H5..-M..H5..Z...L.......VE.."...VE..>...V......

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_fi.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	179941
Entropy (8bit):	4.720938209922096
Encrypted:	false
SSDEEP:	3072:lvdTgO2Yl97ZWnbgTLt/Tf9IlqAeiy5uWkYGM0wNCdRjSK2YUlUs:lvdkA9vh5uWkY0MK2YXs
MD5:	8472CF0BF6C659177AD45AA9E3A3247C
SHA1:	7B5313CDA126BB7863001499FB66FB1B56C255FC
SHA-256:	E47FE13713E184D07FA4495DDE0C589B0E8F562E91574A3558A9363443A4FA72
SHA-512:	DE36A1F033BD7A4D6475681EDC93CC7B0B5DCB6A7051831F2EE6F397C971B843E1C10B66C4FB2EFF2A23DC07433E80FBF7B95E62C5B93E121AB5AD88354D9CB8
Malicious:	false
Preview:	<.d....!..`.......fiB..38.....ct...+......@.......A.......B.......C...@...D.......E...]...F.......G.......H.......I...#...P.......Q...6...R.......S.......T.......U.......V...G...W...k...X.......Y.......]......s...T...t.......................;......;..+....;..&....;..3....M..+!...O.......O...e...........}..+K...........=.......m..+w...t..........J...(5..9...+;..:y..+;..mW..+O..$...1...KY..D@......E@...Z..H4...l..HY..X&..H.......IC......J.......J...."..J......LD.....L.......PS...'..QR.. L..R...]...T.......U.......X.......Zr......[`......\.......]x......_....k.._....>..yg.. /..1...;....E..>....7..{(......%.......J........T.......&.......U...$..Y[...[......,...s...y.......y...a.......}......d...........9..Y....E..k'...........z...........V..........%..M....D...Q.......{......d.....A......E......K....5.......0.......0..&J...0.......0..k....5......5..I9.............._:.. D..,O.. D..W...+....9..<U...G..<U...*..<.......H5..,y..H5..W...H5......L....5..VE..!u..VE..E...V..."{..f.

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_fr.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	166167
Entropy (8bit):	4.685212271435657
Encrypted:	false
SSDEEP:	1536:CLZ1w8McowCppcPwL5pYFw+G00QsbLckCiWxvq+sjs06oFm:C91wxcowspc4L5pUw+cz39CiQ7tloFm
MD5:	1F41FF5D3A781908A481C07B35998729
SHA1:	ECF3B3156FFE14569ECDF805CF3BE12F29681261
SHA-256:	EDB32A933CEF376A2636634E14E2977CED6284E4AA9A4AC7E2292F9CA54C384A
SHA-512:	A492E8AC88095A38A13549C18C68E1F61C7054AB9362C2B04C65B93E48E4A07941C8DA6950BAE79041094623E0ED330CA975110FDE8248B4D9380B9F729AD891
Malicious:	false
Preview:	<.d....!..`.......fr_FRB../....*..-....+.......@.......A.......B.......C...?...D.......E...\...F.......G.......H.......I..."...P.......Q...5...R.......S.......T.......U.......V...F...W...j...X.......Y.......]..+....s...=...t.......................;..+....;..,....;.......;..$b...;.......M..,....O.......O...5...........}..,3...........=.......m..,]...t..........A...(5..5j..+;..<T..+;..o...+O.."+..1...B\..D@......E@...Y..H4...8..HY..[{..H.......IC......J.......J.......J.......LD...\|..L.......PS...?..QR..!...R...`j..T.......U....[..X.......Zr.....[`...)..\......]x......_....7.._.......yg...i..1...=Q...E..?@......"Y......K............................$..\....[...^...,...'...y.......y...+.......o....../c.......Y...9..\....E..6(...........z..!................j...%..OC...D...+.......[......a.....;......>......B....5.......0.......0...m...0..#....0.......0..6....5.......5..................a... D..-Y.. D..Ze..+....]..<U...;..<U......<.......H5..-...H5..Z...L.......VE.."...VE..?...V......

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_gd.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	189580
Entropy (8bit):	4.630160941635514
Encrypted:	false
SSDEEP:	1536:SiaI3C87jhakhR0VGkw7ys7CskUH6y4e6IFB4xyMuhvDnJGhFaCo527arBbm07LZ:S2yGjh17yGqxTXhvQoejJd8FUjVgk
MD5:	EB1FB93B0BE51C2AD78FC7BA2F8B9F42
SHA1:	24F7FF809E2F11C579CD388FEA5A4C552FF8D4D0
SHA-256:	63B439DD44139AA3AED54C2EBE03FA9BC77F22C14ED8FBA8EFF2608445BB233D
SHA-512:	E13770AEF33B6666ED7D54E03EE20CA291D4167D673BA6C61D8E64CDD5F7FFE0A9521B95AF67BE719BF263932ECF16E2B2D0B5F3404F9BCD7879114FCC6FC474
Malicious:	false
Preview:	<.d....!..`.......gd_GBB..2....*...u...+......@.......A...B...B.......C.......D.. ....E.. ....F..!&...G..!J...H..!n...I..!....P..#m...Q..#....R..#....S..$....T..$$...U..$H...V..$....W..$....X..$....Y..%....]../....s...'...t...................F...;.......;../....;..=V...;..G....M../G...O.......O...k......$....}../o.......i...=.......m../....t..........[...(5..M...+;..@...+;..x...+O..:...1...\7..D@...f..E@..#...H4...p..HY..be..H.......IC......J.......J....R..J.......LD......L.......PS......QR..#l..R...g...T.......U.......X....\..Zr......[`......\...&...]x......_....C.._...'t..yg..?...1...BM...E..D.......;.......R'.......t.......@.......?...$..c....[......,...i...y.......y...Y.......f.......+...........9..c....E...............z.."....................%..U....D..................G.....UB.....W......\]...5.......0.......0..<....0...;...0.......5.......5..ij..............h... D..0... D..aC..+....K..<U.....<U...~..<.......H5..0...H5..a...L....1..VE..$...VE..X...V...8\|..f...Z...f...=..

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_he.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	138690
Entropy (8bit):	5.515748942553918
Encrypted:	false
SSDEEP:	3072:XSue8Z7T3iJsqBejt/zNHSLzdetY2ZISfC/S:XSueK3w7Ijt8zUtYAISfC/S
MD5:	DEAF87D45EE87794AB2DC821F250A87A
SHA1:	DB39C6BAA443AA9BB208043EF7FB7E3403C12D90
SHA-256:	E1EBCA16AFE8994356F81CA007FBDB9DDF865842010FE908923D873B687CAD3F
SHA-512:	276FCE81249EFFE19E95607C39F9ACB3A4AFA3F90745DA21B737A03FEA956B079BCA958039978223FD03F75AC270EC16E46095D0C6DDA327366C948EC2D05B9C
Malicious:	false
Preview:	<.d....!..`.......he_ILB../....*......+..Sw...@......A......B.......C.......D...X...E.......F.../...G...O...H...o...I......P.......Q.......R...I...S...i...T......U......V.......W.......X.../...Y...O...]..$....s......t..X:.......4......`Y...;..$....;..%....;.......;...5...;.......M..$....O...6...O..s............}..%-...........=...m...m..%k...t..........^..(5......+;..2...+;..^...+O...N..1.......D@......E@...(..H4..T...HY..L...H..._...IC..\...J...\...J.......J...\j..LD..^...L...^o..PS..fl..QR......R...Q...T...su..U...s...X...x3..Zr..~...[`..L\..\.......]x....._......._....o..yg...(..1...3....E..5C.......z......?V......U.......U.......W....$..M....[..W....,..X....y.......y..\........a..............\@...9..NO...E...?......]s...z...G.......(......^....%..B^...D.._......._.................... ..........5..`/...0.......0...L...0......0..d(...0......5..ek...5..........fB......R... D..&O.. D..K...+...l...<U......<U..p)..<...p...H5..&w..H5..La..L...s...VE......VE......V.....

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_hu.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	160494
Entropy (8bit):	4.831791320613137
Encrypted:	false
SSDEEP:	3072:BmOMZadV9n51xXeQvjOiIzz7/Vs9Db3ihuJNvMfWxBNlYzYbTrIkfwb03l24cNKu:HkWa5pg0MahBHDd
MD5:	E9D302A698B9272BDA41D6DE1D8313FB
SHA1:	BBF35C04177CF290B43F7D2533BE44A15D929D02
SHA-256:	C61B67BB9D1E84F0AB0792B6518FE055414A68E44D0C7BC7C862773800FA8299
SHA-512:	12947B306874CF93ABA64BB46FAC48179C2D055E770D41AF32E50FFFB9F0C092F583AFCEA8B53FE9E238EF9370E9FFFBEB581270DFA1A7CB74EBE54D9BFF459F
Malicious:	false
Preview:	<.d....!..`.......hu_HUB../...........+.......@.......A...0...B...{...C.......D.......E.......F.......G...<...H...`...I.......P...s...Q.......R.......S.......T......U...N...V.......W.......X.......Y.......]..+y...s.......t.......................;..+Q...;..,U...;.......;.......;..&....M..+....O.......O...U..........}..+............=.......m..+....t..........9c..(5..,...+;..;...+;..m7..+O......1...9...D@...T..E@......H4...v..HY..Y...H.......IC......J.......J.......J.......LD......L.......PS...}..QR..!...R...]...T.......U....{..X.......Zr...=..[`......\......]x...-.._......._......yg...M..1...<....E..>...............J........T.......(.......S...$..Z....[.......,...u...y.......y...[...............#...........9..Z....E..#&...........z..!'...................%..Mv...D..._....................32.....5......9....5.......0...h...0...E...0.......0.......0..#....5...Z...5...........G......_2.. D..,... D..W...+....W..<U......<U...B..<.......H5..,...H5..X{..L....)..VE.."...VE..6l..V.....

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_it.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	161172
Entropy (8bit):	4.680034416311688
Encrypted:	false
SSDEEP:	1536:eSfxfdO4BKJb0td5pqCOIUP/PFIM7gxGQ9sRrFM6QJ4m8ihkM:eSfxFO4BKJb0td5pnOrvCqg9mRK4IkM
MD5:	88D040696DE3D068F91E0BF000A9EC3E
SHA1:	F978B265E50D14FDDE9693EC96E99B636997B74D
SHA-256:	7C7DC8B45BF4E41FEC60021AB13D9C7655BE007B8123DB8D7537A119EB64A366
SHA-512:	F042637B61C49C91043D73B113545C383BD8D9766FD4ACC21675B4FF727652D50863E72EA811553CB26DF689F692530184A6CE8FE71F9250B5A55662AFE7D923
Malicious:	false
Preview:	<.d....!..`.......it_ITB../....*.......+.......@.......A..."...B...m...C.......D.......E.......F.......G...0...H...T...I...x...P...q...Q.......R.......S.......T...(...U...L...V.......W.......X.......Y.......]..+....s...'...t...................^...;..+[...;..,g...;.......;.......;..!B...M..+....O...D...O...........(...}..+........I...=.......m..,....t..........4...(5..'...+;..<...+;..oV..+O......1...5...D@...F..E@......H4...J..HY..Z...H.......IC...L..J....s..J....j..J.......LD......L....f..PS......QR..!...R..._...T.......U....3..X.......Zr......[`...Q..\.......]x......_......._....0..yg...C..1...=....E..?o..............Kf.......h.......8.......I...$..[....[.......,...m...y...9...y...........z.......z...........9..\=...E..$u.......:...z.. k...................%..N....D..................M............0......5/...5...2...0.......0...0...0...A...0...)...0..$....5.......5...J.......a......a... D..,... D..Y...+.......<U......<U......<....v..H5..-...H5..Z...L.......VE.."c..VE..1...V....X.

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_ja.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	129911
Entropy (8bit):	5.802855391832282
Encrypted:	false
SSDEEP:	1536:W8YYSCjKBJ26c1Z7f25pVmuLXpxfqt7FEUWNrfQje9kWI23pKXvx:xYuKBJ01Z7u5pQuLbESUWNzAAI23pKfx
MD5:	608B80932119D86503CDDCB1CA7F98BA
SHA1:	7F440399ABA23120F40F6F4FCAE966D621A1CC67
SHA-256:	CBA382ACC44D3680D400F2C625DE93D0C4BD72A90102769EDFD1FE91CB9B617B
SHA-512:	424618011A7C06748AADFC2295109D2D916289C81B01C669DA4991499B207B781604A03259C546739A3A6CF2F8F6DFA753B23406B2E2812F5407AEE343B5CBDD
Malicious:	false
Preview:	<.d....!..`.......jaB../....*...'...+..=....@.......A.......B...?...C...c...D......E......F.......G.......H..."...I...F...P.......Q...'...R...r...S......T......U.......V...8...W...\...X......Y......].."k...s...Q...t..A...............I....;.."C...;..#A...;.......;.......;.......M.."....O...B...O..[?......h....}.."........m...=.......m.."....t...........M..(5......+;......+;..WU..+O......1.......D@......E@...K..H4..>=..HY..F...H...Hr..IC..E...J...F...J.......J...E...LD..Gz..L...G...PS..O...QR......R...K!..T...Z...U...[e..X..._f..Zr..e...[`..7...\...i...]x...'.._......._...j...yg..~+..1.../....E..1?.......#......:.......?.......?n......A....$..G....[..Ap...,..B....y.......y..Ew......\|...............E....9..H....E..........F....z...]..............HL...%..=R...D..H.......I!......[......J......M..........5..It...0...3...0.......0...C...0..M....0...a...5..N....5..........N.......L6.. D..#... D..E...+...U%..<U......<U..X ..<...X...H5..#...H5..FK..L...[...VE......VE......V......f.

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_ko.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	156799
Entropy (8bit):	5.859529082176036
Encrypted:	false
SSDEEP:	1536:rvTy18hhPekHs1iNXVExWbStnn8TExgkYOvYejZOvXx4Mmf0MwUL8smk/pDZyy:y18hJ61nMStnn8TOgknQRLWZmkxNyy
MD5:	082E361CBAC2E3A0849F87B76EF6E121
SHA1:	F10E882762DCD2E60041BDD6CC57598FC3DF4343
SHA-256:	0179ED1B136E1CB3F583351EAA2C545BA3D83A6EE3F82C32505926A1A5F5F183
SHA-512:	F378A42116924E30FA0B8FFF1D3C3CB185DC35B2746DCE2818BE7C2AA95C5DE103DF44AAC74DA969C36C557F1D4DE42AC7647EC41066247F8AD2697BDED667EA
Malicious:	false
Preview:	<.d....!..`.......koB..7...........+.......@...K...A...o...B......C.......D...8...E.......F...U...G...y...H......I.......P......Q.......R.......S...C...T...g...U.......V.......W.......X...-...Y...Q...]..$....s...>...t...................y...;..${...;..%....;...u...;...l...M..$....O.......O...8...........}..$............=...C...m..%!...t...n..........(5...a..+;..E@..+;..l\|..+O......1.......D@.....E@......H4......HY..\...H....]..IC......J.......J....8..J.......LD...a..L.......PS......QR......R...`...T.......U....^..U.......X....y..Zr......[`..y...\....A..]x......_......._....o..yg......1...FJ...E..HE...7..................Q........a.......5...........$..]....[...;...,.......y.......y...V...............!.......\|...9..]....E...R...........z...4.......f.......5...%..Te...D..................D......^................5...S...0.......0.......0.......0.......5.......5...........n......a... D..%... D..[...+.......<?......<U...;..<U...+..<.......H5..&...H5..\...L.......VE......V....A..f.

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_lv.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153608
Entropy (8bit):	4.843805801051326
Encrypted:	false
SSDEEP:	3072:y5pmbKIhooMbGe91MrjOhmGzP6LJbWz5XIxELpU6:yObeqrjPGzeJyJLy6
MD5:	BD8BDC7BBDB7A80C56DCB61B1108961D
SHA1:	9538C4D8BB9A95C0D9DC57C7708A99DD53A32D1F
SHA-256:	846E047573AE40C83671C3BA7F73E27EFC24B98C82701DA0DF9973E574178BB2
SHA-512:	F040EC410EBFEA21145F944E71ADCAE8E5F60907D1D3716A937A9A59A48F70C6B7EAAC91C2C554F59357A7BC820CDBD17C73A4DECC20B51F68EB79EDD35C5554
Malicious:	false
Preview:	<.d....!..`.......lv_LVB..........B...+..y....@.......A...=...B......C......D.......E.......F...#...G...G...H...k...I.......P...~...Q......R.......S.......T...5...U...Y...V......W.......X.......Y.......]..%....s.......t...8.......n.......A...;..&....;.......;...!...;...A...;../....M..%....O.......O...............}..%...........=.......m..&....t...(......(g..(5...+..+;..4...+;..d...+O......1...(...D@...a..E@......H4..z...HY..Q...H.......IC......J....6..J.......J.......LD......L....9..PS......QR......R...U...T....S..U.......X...._..Zr......[`..r...\.......]x....._......._....{..yg......1...5v...E..7........(......B.......\|.......\|W......~r...$..R....[..~....,.......y...l...y...............................9..S....E...g...........z...z...................%..F....D........................"Z.....$......)....5.......0...\...0.......0...r...0.......0.......5...a...5..........J......V... D..&... D..P...+.......<U......<U......<.......H5..'"..H5..P...L....~..VE...R..VE..%...V......

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_pl.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	162982
Entropy (8bit):	4.841899887077422
Encrypted:	false
SSDEEP:	1536:sXpestp/YIFtDT8FIWYbIJmPYuIpnmxAk6mwyJNqSm9+P:sxpTDT8FIWfJmdCmxApmbnqSm9+P
MD5:	F9475A909A0BAF4B6B7A1937D58293C3
SHA1:	76B97225A11DD1F77CAC6EF144812F91BD8734BD
SHA-256:	CE99032A3B0BF8ABAD758895CC22837088EAD99FD2D2514E2D180693081CFE57
SHA-512:	8A4F1B802B6B81FF25C44251FB4A880E93E9A5FE25E36825A24BFE0EFB34E764E7E1EE585D3A56554964B7921E7813C67F12D200D6E0C5EAF4BB76B064B5C890
Malicious:	false
Preview:	<.d....!..`.......pl_PLB..0......"....+.......@...F...A...j...B......C.......D...3...E.......F...P...G...t...H.......I.......P.......Q.......R.......S...>...T...b...U.......V.......W.......X...(...Y...L...]......s.......t...r.......o.......+...;......;..+....;..."...;... ...M......O...6...O...........a...}..+...........=.......m..+G...t...G......,...(5......+;..:...+;..k...+O......1...-[..D@.....E@......H4...U..HY..WU..H.......IC......J....6..J.......J.......LD......L....%..PS......QR.. ...R...[...T....1..U.......X......Zr......[`......\.......]x...A.._......._....}..yg......1...;W...E..=........%......H....................$..Xp...[.......,.......y...i...y...........}......$R...........9..X....E..+)...........z.. E...................%..K....D...p....................&......(......-....5.......0.......0...e...0.......0..+....5...]...5...........f......]-.. D..,%.. D..V?..+....V..<U......<U......<....-..H5..,M..H5..V...L....Z..VE..!...VE..)...V.......f...P...f....K..f......

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_ru.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	203767
Entropy (8bit):	5.362551648909705
Encrypted:	false
SSDEEP:	1536:hn4dEJ63pdhPpy6gu5fs4MHQv6sLlxnrncF423ZL9xyuXwdcX8LZuf76CW+WeXFx:aN3pdV5fZbpItXsttRY+WSq
MD5:	5096AD2743BF89A334FBA6A2964300D4
SHA1:	405F45361A537C7923C240D51B0FF1C46621C203
SHA-256:	3DA6605668F9178D11A838C4515478084DCFB4F9CF22F99D7A92B492DB9C224B
SHA-512:	7B88B501792B5831426BAA669138192ED94CC3F8323A3DF9D5287655DC4D877706908C517AB7523AE8A283BF50B47123F13B8AE40EA2F3081C3459EDC47FC8DD
Malicious:	false
Preview:	<.d....!..`.......ru_RUB..7.......L...+...W...@..,....A..,....B..-1...C..-U...D..-....E...r...F.......G.......H../....I../8...P..1'...Q..1K...R..1....S..1....T..1....U..2....V..2\...W..2....X..2....Y..2....].......s..$c...t...'......%........r...;..-....;.......;..J....;..V....M...C...O.......O..&.......8....}...m......+3...=..+....m.......t..+.......p...(5..]@..+;..[0..+;......+O..H...1...qM..D@..-...E@..1o..H4...p..HY..xm..H......IC...@..J....g..J.......J.......LD......L....p..PS......QR..!...R...}...T...&...U...'...U...ki..X...+...Zr..3...[`......\...:...]x..)..._......._...;...yg..S...1...\....E..__...7.........H.......k................j.......U...$..y....[.......,.......y...k...y...............................9..y....E...O...........z..!*...................%..nW...D.................%w.....g......j~.....qw...5...H...0.......0..I....0..._...0......5.......5..................~... D../k.. D..wa..+....?..<?.."t..<U......<U.."...<...#z..H5../...H5..w...L...&...VE.."...V...F$.

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_sk.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	125763
Entropy (8bit):	4.80343609423322
Encrypted:	false
SSDEEP:	3072:roXDuC1u/2lUBGjJirE5tsd/aev1GIfOdvhw:OucMGjH5tbm
MD5:	3D60E50DCBCBD70EE699BC9B1524FCB9
SHA1:	0211B4911B5B74CC1A46C0FCA87D3BF5632AA44A
SHA-256:	D586AE2C314074CF398417FDECB40709D5478DFEB0A67C2FE60D509EE9B59ED7
SHA-512:	F98211867F1DBCB8A342C00E23FA5718BE6E999F7449CB8470B41BF0F527C7F78CC4D6666E28968F32E96026907156753979BFADA7E6BF4225D02A902D24906D
Malicious:	false
Preview:	<.d....!..`.......sk_SKB..$x...*.......+..>....@......A......B.......C.......D...3...E...Z...F......G......H.......I.......P.......Q...D...R.......S......T.......U.......V...1...W...X...X.......Y......]...Y...t..D-......K....;...3...;.......;.......;......;...V...M.......O.._ ......l....}.......m...........T..(5...(..+;......+;..%...+O......1......E@...k..F.......H4..?I..HY..@7..H...J...I....,..IC..HT..J...H{..J...H...LD..J"..L...Jv..PS..Q...R...D...Zr..i]..[`..7...\...nB.._...o...1...&....E..(........B......19......A.......A....$..AF...[..C....,..D....y..G.......v........g......G....9..A....E..........IH...%..4.......Kf..............................5..K....0...,...0.......0.......0..Of...0.......5..P....5..........E... D...C.. D..?'..+...Y`..<U......<U..\...<...]...H5...m..H5..?...L...^...VE......f.......f...8...g.......l...aP.......................6......d....D..f(...`..f...............?....`..h5...y..H....5..j........E...e.......e..@....... ......>......oZ......l..

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_tr.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	194487
Entropy (8bit):	4.877239354585035
Encrypted:	false
SSDEEP:	3072:yRRhAFCvqDBitD/iDG9AOH+l4TcwZBPqHo9fd9CFRK+2IKAimxsjucV2p0ZqvRu7:yRRHs5mksWVX3lA3
MD5:	6CBC5D8E1EABEC96C281065ECC51E35E
SHA1:	4E1E6BA3772428227CB033747006B4887E5D9AD1
SHA-256:	6A0BF6E70E7920C2B193E76E92F78F315936955D3B06AC039D917F2E06C43281
SHA-512:	CE1F9EE180176153D5F523D71E0DB06F4DEA65C24E5E2CD56341CFAEE349A8E9A0F606D99F7219A35DD4516D1528C90AEA4BB87548A55392B8F2B36164D478B1
Malicious:	false
Preview:	<.d....!..`.......tr_TRB..7....*.......+...-...@.......A.......B.......C...%...D.......E...F...F.......G.......H.......I.......P.. ....Q.. ....R..!D...S..!h...T..!....U..!....V.."....W.."0...X.."T...Y.."x...]..,g...s.../...t......................;..,9...;..-I...;..9@...;..E....M..,....O.......O...G...........}..,............=...\...m..,....t.........._3..(5..LJ..+;..Wt..+;...\..+O..7...1..._...D@......E@..!...H4...@..HY..t...H....2..IC...r..J......J....D..J....K..LD...$..L....x..PS......QR..!...R...x...T.......U....q..U...Y...X...."..Zr...%..[`......\....:..]x......_......._.......yg..6...1...X....E..[....7...Z......7Q......f............................$..u....[...:...,...5...y.......y...........7...............!...9..u....E...........P...z.. ........p...........%..j....D..................A.....U......Y......_....5...V...0.......0..8....0...U...0.......5.......5..~b..............z+.. D..-... D..s...+.......<?...8..<U...s..<U...p..<.......H5..-...H5..s...L.......VE.."0..V...4..

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_uk.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	158274
Entropy (8bit):	5.402056706327934
Encrypted:	false
SSDEEP:	1536:jXwjFVUDdMUD4TzdAhpQgO5poZHvJllEnhmdK4I77/dnPJX/imfb1jhvv3BxT8ue:jBzD4Tzaw5pCvJ8hVPdlvj3p8
MD5:	D6234E4E21021102B021744D5FA22346
SHA1:	63A14327D0CF0941D6D6B58BFA7E8B10337F557B
SHA-256:	51B8FF55B37DC5907D637A8DDDA12FBE816852B0244C74EB4F0FB84867A786E0
SHA-512:	37D24A092C5F29BACB7A4CA8207C4EEFD0F073B7E74A492402867F758084091BF1D79D2BA2B4A28B35FEF42E8023C371FDE97578F74BB2033551154E77102DE6
Malicious:	false
Preview:	<.d....!..`.......uk_UAB../.......E...+...l...@.......A.......B...G...C...k...D.......E.......F.......G.......H......I...N...P...=...Q...a...R.......S.......T.......U.......V...r...W.......X.......Y.......]..y...s.......t...........;.......n...;..Q...;..+U...;.......;...x...;..!(...M......O.......O...........6...}..........E...=.......m..*....t..........3...(5..&...+;..:...+;..k0..+O...A..1...4-..D@... ..E@......H4...8..HY..W...H....2..IC...V..J....}..J.......J....%..LD...&..L....z..PS......QR.. ...R...\...T....(..U.......X.......Zr......[`..~...\.......]x......_......._....4..yg...c..1...;....E..=w.......m......I............................$..X....[...<...,.......y.......y...........M...................9..Y....E...F.......D...z.. ........P...........%..LB...D.......................-n...../......4W...5...F...0...p...0...W...0.......0...k...0.......5.......5..................^... D..+... D..V...+.......<U.../..<U......<....>..H5..+...H5..V...L....S..VE..!...VE..0...V......

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\translations\qtbase_zh_TW.qm

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	127849
Entropy (8bit):	5.83455389078597
Encrypted:	false
SSDEEP:	3072:Fv2cHP10gOs6dcFxsJopMqOWv2WIrPFP8pa:Fh6s6iFxEodjef8pa
MD5:	9C6A3721D01ECAF3F952CE96F46CE046
SHA1:	4A944E9E31DF778F7012D8E4A66497583BFD2118
SHA-256:	085D29EAF9BBB788B2F2503D74A1EF963A9411CEB600441254CE49A120E1AB63
SHA-512:	6E2807B8785F42A26C9CCBDBA0327DD40B529B10C468593F0E74113774D1CCDAA4FD9ACE9B259B9040E1475911428ECAEA49425B0F170862CF8147D23DB48E46
Malicious:	false
Preview:	<.d....!..`.......zh_TWB..2x..........+..)....@.......A.......B...j...C......D.......E......F.......G...)...H...M...I...q...P...%...Q...I...R......S......T.......U.......V...Z...W...~...X......Y.......]..!....s.......t..-...............4....;..!z...;.."\|...;.......;.......M..!....O.......O..Ay......N)...}..!............=.......m.." ...t...(.........(5......+;..;...+;.._...+O......1.......D@...C..E@...m..H4..W..HY..Pm..H...3...IC..1...J...1...J.......J...1...LD..2...L...38..PS..6...QR...T..R...T...T...A...U...A...X...E...Zr..K...[`..$...\...OW..]x......_......._...P...yg..a^..1...<....E..>....7...>.......;......Fo......+.......+.......-L...$..QR...[..-....,...F...y.......y..1J...............6......1p...9..Q....E..........2....z...........<......3....%..H....D..4W......4}....................Z...... ...5..4....0...?...0...K...0..5....0...L...5..6....5..........6.......U... D.."... D..O...+...<%..<U......<U..>...<...?:..H5..#...H5..O...L...AS..VE...M..VE......V.......f...L..

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\QtCore.pyd

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2483712
Entropy (8bit):	6.241719144701645
Encrypted:	false
SSDEEP:	49152:ZYS8YHrNj4/7RsRLvYpiW3pCBU+Z7bJWvCSBYgbxGJ5M2GM/fXR1fUdihfSbCo6e:9bpj4/7RsRLvYpiW3pCBU+Z7bJWvCSBv
MD5:	678FA1496FFDEA3A530FA146DEDCDBCC
SHA1:	C80D8F1DE8AE06ECF5750C83D879D2DCC2D6A4F8
SHA-256:	D6E45FD8C3B3F93F52C4D1B6F9E3EE220454A73F80F65F3D70504BD55415EA37
SHA-512:	8D9E3FA49FB42F844D8DF241786EA9C0F55E546D373FF07E8C89AAC4F3027C62EC1BD0C9C639AFEABC034CC39E424B21DA55A1609C9F95397A66D5F0D834E88E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.........../....td./..../...td./...td./...td./...n../...1../......P...c./....c./....c./...Rich...........................PE..d....p.f.........." ...(............+.......................................0&...........`.............................................L.....................#.$.............%.... t.......................t..(....r..@............@..(o...........................text...~(......................... ..`.rdata..x....@......................@..@.data...h...........................@....pdata..$.....#......n#.............@..@.reloc.......%......L%.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\QtGui.pyd

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2494976
Entropy (8bit):	6.232020603277999
Encrypted:	false
SSDEEP:	24576:SUjOoTFrwI8nc6EmRAQ9RzgpP2bXYUKuXeLQp5PjYq0zb:SUqCgnZXRAQ9RzggbozJLQp5Mq
MD5:	AE182C36F5839BADDC9DCB71192CFA7A
SHA1:	C9FA448981BA61343C7D7DECACAE300CAD416957
SHA-256:	A9408E3B15FF3030F0E9ACB3429000D253D3BB7206F750091A7130325F6D0D72
SHA-512:	8950244D828C5EDE5C3934CFE2EE229BE19CC00FBF0C4A7CCEBEC19E8641345EF5FD028511C5428E1E21CE5491A3F74FB0175B03DA17588DAEF918E3F66B206A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......... j..sj..sj..sc..sn..s.p.rh..s1..rh..s.p.ri..s.p.rb..s.p.r...s...rh..s..ro..sj..s...syw.ra..syw.rk..syw.rk..sRichj..s........PE..d....p.f.........." ...(.....................................................P&...........`.........................................`&..L....&................$...............%.....................................p...@...............@{...........................text...O........................... ..`.rdata..............................@..@.data...xz.......^...t..............@....pdata........$.......#.............@..@.reloc........%......^%.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\QtWidgets.pyd

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5144576
Entropy (8bit):	6.262739223310643
Encrypted:	false
SSDEEP:	49152:Qi+reIG7QwktsFPKoe2yicbbqgkcY9abW7KnTYK2bjMkTDGM7y:uqT7Q1kyTvoWW7EYvM9M
MD5:	E8C3BFBC19378E541F5F569E2023B7AA
SHA1:	ACA007030C1CEE45CBC692ADCB8BCB29665792BA
SHA-256:	A1E97A2AB434C6AE5E56491C60172E59CDCCE42960734E8BDF5D851B79361071
SHA-512:	9134C2EAD00C2D19DEC499E60F91E978858766744965EAD655D2349FF92834AB267AC8026038E576A7E207D3BBD4A87CD5F2E2846A703C7F481A406130530EB0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................=....1M............1M.....1M.....1M.....+......t.............J......J......J.....Rich...........................PE..d....p.f.........." ...(..,...!.....P.,.......................................N...........`..........................................><.T...D?<...............H..z...........pM..O..Pa8..............................`8.@.............,..............................text.....,.......,................. ..`.rdata........,.......,.............@..@.data... :....A.......A.............@....pdata...z....H..\|....H.............@..@.reloc...O...pM..P...0M.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\sip.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120320
Entropy (8bit):	6.034057886020456
Encrypted:	false
SSDEEP:	1536:pPd5NTdYgpmMrZhekwFH4PqgZNBQmT6V6WRFYE9Icx7pz4H5B:NhTdtmMdEkwuFTSvYE9Iczz4H5
MD5:	4F7F9E3A9466F4C0103FB04E1987E098
SHA1:	D4A339702E936AA5ECC1FE906AE2BA3BB0E481D7
SHA-256:	EBF27146466D61411493D2E243EAC691740F9C4B7A4B9AB0D408BE45B5E0AA35
SHA-512:	920BA8D58DCA7946341C1CC01FEA0B76CCE008F1D10061F84455A3DE9BA00FD9534F40C983486211BE92B85F786CD610C386529711A6F573A02BFAF8CA543A19
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........kSR...R...R...[...Z....X..P.......P....X..Q....X..Z....X.._....^..Q...R.......G_..[...G_..S...G_..S...G_..S...RichR...........PE..d.... g.........." ...(.H...........J.......................................0............`.............................................X...h................................ ..........................................@............`...............................text...(G.......H.................. ..`.rdata..lU...`...V...L..............@..@.data.... ..........................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120400
Entropy (8bit):	6.6017475353076716
Encrypted:	false
SSDEEP:	1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
MD5:	862F820C3251E4CA6FC0AC00E4092239
SHA1:	EF96D84B253041B090C243594F90938E9A487A9A
SHA-256:	36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
SHA-512:	2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............\|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	6.701724666218339
Encrypted:	false
SSDEEP:	768:ApzzO6ujT3MbR3v0Cz6SR8q83yaFdWr9zRcmgEl6U9zSC:9q/oGw3fFdwzRcmZFzSC
MD5:	68156F41AE9A04D89BB6625A5CD222D4
SHA1:	3BE29D5C53808186EBA3A024BE377EE6F267C983
SHA-256:	82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
SHA-512:	F7BF8AD7CD8B450050310952C56F6A20B378A972C822CCC253EF3D7381B56FFB3CA6CE3323BEA9872674ED1C02017F78AB31E9EB9927FC6B3CBA957C247E5D57
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.{...{...{...0...y.......y...r.H.p...{...H.......\|.......`.......~.......z.....$.z.......z...Rich{...........PE..d...l0.?.........." ...).<...8.......@...............................................b....`A........................................pm.......m..x....................r..PP......D....c..p...........................`b..@............P..`............................text....;.......<.................. ..`.rdata.."#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84240
Entropy (8bit):	6.607563436050078
Encrypted:	false
SSDEEP:	1536:Kdrz7l1EVLsSuvX3dUK4MLgqK7YEog8y5sV8lIJLVy7SyFB:urzcuvXvrEo7y6V8lIJLVyB
MD5:	CB8C06C8FA9E61E4AC5F22EEBF7F1D00
SHA1:	D8E0DFC8127749947B09F17C8848166BAC659F0D
SHA-256:	FC3B481684B926350057E263622A2A5335B149A0498A8D65C4F37E39DD90B640
SHA-512:	E6DA642B7200BFB78F939F7D8148581259BAA9A5EDDA282C621D14BA88083A9B9BD3D17B701E9CDE77AD1133C39BD93FC9D955BB620546BB4FCF45C68F1EC7D6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!m..!m..!m..(.o.+m..1...#m..1..."m..1...%m..1...)m..1...,m..i..."m..j...#m..!m..\|m..i...)m..i... m..i... m..i... m..Rich!m..........PE..d.....g.........." ...).....\......0........................................P......7[....`.............................................H...(........0....... .. ......../...@..........T...........................`...@...............x............................text............................... ..`.rdata...=.......>..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	131344
Entropy (8bit):	6.311142284249784
Encrypted:	false
SSDEEP:	3072:3RF024DWkT/DKGkXY402iXnVJf/FO50XnekZ39gPhvEQZIJyPArm:j0nHT/DKFXZorf/FO50uW3SEQt
MD5:	A55E57D7594303C89B5F7A1D1D6F2B67
SHA1:	904A9304A07716497CF3E4EAAFD82715874C94F1
SHA-256:	F63C6C7E71C342084D8F1A108786CA6975A52CEFEF8BE32CC2589E6E2FE060C8
SHA-512:	FFA61AD2A408A831B5D86B201814256C172E764C9C1DBE0BD81A2E204E9E8117C66F5DFA56BB7D74275D23154C0ED8E10D4AE8A0D0564434E9761D754F1997FC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h~..............q...............................................q.......q......!u.............................................Rich....................PE..d.....g.........." ...).............h....................................... .......Z....`.........................................P.................................../...........=..T............................;..@............0...............................text............................... ..`.rdata...y...0...z..................@..@.data....$....... ..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	277776
Entropy (8bit):	6.5855511991551
Encrypted:	false
SSDEEP:	6144:x9iD78EIq4x4OA5bZZ0KDgQcI79qWM53pLW1AFR8E4wXw76TPlpV77777VMvyk:xwDGqr5b8EgQ5+w6k
MD5:	F3377F3DE29579140E2BBAEEFD334D4F
SHA1:	B3076C564DBDFD4CA1B7CC76F36448B0088E2341
SHA-256:	B715D1C18E9A9C1531F21C02003B4C6726742D1A2441A1893BC3D79D7BB50E91
SHA-512:	34D9591590BBA20613691A5287EF329E5927A58127CE399088B4D68A178E3AF67159A8FC55B4FCDCB08AE094753B20DEC2AC3F0B3011481E4ED6F37445CECDD5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j2U..\...\...\..s....\..]...\.._...\..X...\..Y...\...]...\..s]...\...].z.\..._...\...Q...\...\...\.......\...^...\.Rich..\.........................PE..d......g.........." ...).....Z...............................................P......W.....`.................................................L........0..........t+......./...@..........T...............................@............... ............................text.............................. ..`.rdata..\...........................@..@.data...8'......."..................@....pdata..t+.......,..................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64272
Entropy (8bit):	6.220967684620152
Encrypted:	false
SSDEEP:	768:eNJI0DWiflFwY9X3Th1JnptE462TxNvdbj4dIJvI75YiSyvE62Em:2LDxflFwY9XDhPfVNv+dIJvIF7Syc6c
MD5:	32D76C9ABD65A5D2671AEEDE189BC290
SHA1:	0D4440C9652B92B40BB92C20F3474F14E34F8D62
SHA-256:	838D5C8B7C3212C8429BAF612623ABBBC20A9023EEC41E34E5461B76A285B86C
SHA-512:	49DC391F4E63F4FF7D65D6FD837332745CC114A334FD61A7B6AA6F710B235339964B855422233FAC4510CCB9A6959896EFE880AB24A56261F78B2A0FD5860CD9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.A.6...6...6...N%..6.......6.......6.......6.......6.......6...N...6.......6...6..26.......6.......6....I..6.......6..Rich.6..........PE..d......g.........." ...).P...~.......=..............................................!.....`.........................................p...P................................/......X....l..T............................k..@............`...............................text....N.......P.................. ..`.rdata...M...`...N...T..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	157968
Entropy (8bit):	6.854644275249963
Encrypted:	false
SSDEEP:	3072:KbbS4R/G4Z8r7NjwJTSUqCRY4By7znfB9mNowgn0lCelIJ012+j:KbR/8oWeBi5YOwflCe8o
MD5:	1BA022D42024A655CF289544AE461FB8
SHA1:	9772A31083223ECF66751FF3851D2E3303A0764C
SHA-256:	D080EABD015A3569813A220FD4EA74DFF34ED2A8519A10473EB37E22B1118A06
SHA-512:	2B888A2D7467E29968C6BB65AF40D4B5E80722FFDDA760AD74C912F3A2F315D402F3C099FDE82F00F41DE6C9FAAEDB23A643337EB8821E594C567506E3464C62
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V.,.V.,.V.,...,.V.,..-.V.,..-.V.,..-.V.,..-.V.,..-.V.,...-.V.,.V.,.V.,..-.V.,..-.V.,..u,.V.,..-.V.,Rich.V.,................PE..d......g.........." ...).`...........1.......................................p.......P....`.............................................L.......x....P.......0.......:.../...`..4....\|..T...........................P{..@............p...............................text...^^.......`.................. ..`.rdata.......p.......d..............@..@.data........ ......................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..4....`.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	33552
Entropy (8bit):	6.446391764486538
Encrypted:	false
SSDEEP:	384:7GpPCRjqMu/AoS6rf7sif0NHQibZIJ9UoOHQIYiSy1pCQ5xX1rSJIVE8E9VF0Nyf:fkTM6rg9aeZIJ9Uok5YiSyvTo2Et
MD5:	1C03CAA59B5E4A7FB9B998D8C1DA165A
SHA1:	8A318F80A705C64076E22913C2206D9247D30CD7
SHA-256:	B9CF502DADCB124F693BF69ECD7077971E37174104DBDA563022D74961A67E1E
SHA-512:	783ECDA7A155DFC96A718D5A130FB901BBECBED05537434E779135CBA88233DD990D86ECA2F55A852C9BFB975074F7C44D8A3E4558D7C2060F411CE30B6A915F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...........-.........................................................................A...........Rich...................PE..d.....g.........." ...).....:.......................................................r....`.........................................PD..L....D..d....p.......`..l....T.../..........@4..T............................3..@............0...............................text............................... ..`.rdata..2....0....... ..............@..@.data........P.......>..............@....pdata..l....`.......D..............@..@.rsrc........p.......H..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83728
Entropy (8bit):	6.331814573029388
Encrypted:	false
SSDEEP:	1536:XuV3gvWHQdMq3ORC/OypTXQlyJ+9+nzEYwsBI6tzOKuZIJywJ7Sy21:XuVQvcQTSypTXQlyJs+nzEYJI6QlZIJY
MD5:	FE896371430BD9551717EF12A3E7E818
SHA1:	E2A7716E9CE840E53E8FC79D50A77F40B353C954
SHA-256:	35246B04C6C7001CA448554246445A845CE116814A29B18B617EA38752E4659B
SHA-512:	67ECD9A07DF0A07EDD010F7E3732F3D829F482D67869D6BCE0C9A61C24C0FDC5FF4F4E4780B9211062A6371945121D8883BA2E9E2CF8EB07B628547312DFE4C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ll}.ll}.ll}...}.ll}..m\|.ll}..o\|.ll}..h\|.ll}..i\|.ll}..m\|.ll}.lm}.ll}..m\|.ll}..a\|.ll}..l\|.ll}..}.ll}..n\|.ll}Rich.ll}........PE..d.....g.........." ...).x.......... -.......................................`.......s....`.........................................@...P............@.......0.........../...P..........T...........................@...@............................................text....w.......x.................. ..`.rdata.. y.......z...\|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	181520
Entropy (8bit):	5.972827303352998
Encrypted:	false
SSDEEP:	3072:kO+IWyXHllRhN1qhep7fM6CpqjZI8u7pUULbaLZErWreVEzvT3iFCNc6tYwJc1OW:kpSrhN1E2M6CpUuwg5dEW7
MD5:	1C0E3E447F719FBE2601D0683EA566FC
SHA1:	5321AB73B36675B238AB3F798C278195223CD7B1
SHA-256:	63AE2FEFBFBBBC6EA39CDE0A622579D46FF55134BC8C1380289A2976B61F603E
SHA-512:	E1A430DA2A2F6E0A1AED7A76CC4CD2760B3164ABC20BE304C1DB3541119942508E53EA3023A52B8BADA17A6052A7A51A4453EFAD1A888ACB3B196881226C2E5C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FM.^.,k..,k..,k..T...,k...j..,k...h..,k...o..,k...n..,k.J.j..,k...j..,k..,j..-k.ITj..,k.J.f..,k.J.k..,k.J....,k.J.i..,k.Rich.,k.................PE..d......g.........." ...)............ /..............................................R\....`.............................................d................................/..............T...........................P...@............................................text...0........................... ..`.rdata..D%.......&..................@..@.data...`...........................@....pdata...............n..............@..@.rsrc................z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\_wmi.pyd

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38160
Entropy (8bit):	6.338856805460127
Encrypted:	false
SSDEEP:	768:fEkK9VgWOZbs3550QcJpPllIJLiX5YiSyvQ602Euf0:fE93jkbQcJvlIJLiJ7Syq00
MD5:	1C30CC7DF3BD168D883E93C593890B43
SHA1:	31465425F349DAE4EDAC9D0FEABC23CE83400807
SHA-256:	6435C679A3A3FF4F16708EBC43F7CA62456C110AC1EA94F617D8052C90C143C7
SHA-512:	267A1807298797B190888F769D998357B183526DFCB25A6F1413E64C5DCCF87F51424B7E5D6F2349D7A19381909AB23B138748D8D9F5858F7DC0552F5C5846AC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H2.&a.&a.&a..a.&a..'`.&a..%`.&a.."`.&a..'`.&a..#`.&a..'`.&a.'a..&a.."`.&a../`.&a..&`.&a...a.&a..$`.&aRich.&a................PE..d.....g.........." ...).,...<.......)..............................................'.....`.........................................0V..H...xV.......................f.../......x...tG..T............................C..@............@.......T..@....................text....*.......,.................. ..`.rdata..d ...@..."...0..............@..@.data........p.......R..............@....pdata...............V..............@..@.rsrc................Z..............@..@.reloc..x............d..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\base_library.zip

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1394456
Entropy (8bit):	5.531698507573688
Encrypted:	false
SSDEEP:	12288:IW7WpLV6yNLeGQbVz3YQfiBgDPtLwjFx278e6ZQnHS91lqyL+DXUgnxOr+dx5/GO:B7WpLtHa9BHSHAW+dx5/GP05vddD
MD5:	A9CBD0455B46C7D14194D1F18CA8719E
SHA1:	E1B0C30BCCD9583949C247854F617AC8A14CBAC7
SHA-256:	DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
SHA-512:	B92468E71490A8800E51410DF7068DD8099E78C79A95666ECF274A9E9206359F049490B8F60B96081FAFD872EC717E67020364BCFA972F26F0D77A959637E528
Malicious:	false
Preview:	PK..........!..b.e............_collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

C:\Users\user\AppData\Local\Temp\_MEI1802\certifi\cacert.pem

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI1802\charset_normalizer\md.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.818583535960129
Encrypted:	false
SSDEEP:	96:Mvs10hZd9D74ACb0xx2uKynu10YLsgxwJiUNiL0U5IZsJFPGDtCFCCQAADo+cX6m:MXv9XFCk2z1/t12iwU5usJFuCyPcqgE
MD5:	56FE4F6C7E88212161F49E823CCC989A
SHA1:	16D5CBC5F289AD90AEAA4FF7CB828627AC6D4ACF
SHA-256:	002697227449B6D69026D149CFB220AC85D83B13056C8AA6B9DAC3FD3B76CAA4
SHA-512:	7C9D09CF9503F73E6F03D30E54DBB50606A86D09B37302DD72238880C000AE2B64C99027106BA340753691D67EC77B3C6E5004504269508F566BDB5E13615F1E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k............r_...........r................................................3..........Rich....................PE..d....$.g.........." ...).....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\charset_normalizer\md__mypyc.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124928
Entropy (8bit):	5.953784637413928
Encrypted:	false
SSDEEP:	3072:JDE+0ov6ojgN3qN8h51Zlh+YW5E38vCsmLS:JdefPZE2ICDLS
MD5:	10116447F9276F10664BA85A5614BA3A
SHA1:	EFD761A3E6D14E897D37AFB0C7317C797F7AE1D6
SHA-256:	C393098E7803ABF08EE8F7381AD7B0F8FAFFBF66319C05D72823308E898F8CFC
SHA-512:	C04461E52B7FE92D108CBDEB879B7A8553DD552D79C88DFA3F5D0036EED8D4B8C839C0BF2563BC0C796F8280ED2828CA84747CB781D2F26B44214FCA2091EAE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................7...............7.......7.......7.......6..........D....6.......6.......6.......6......Rich............................PE..d....$.g.........." ...).@...........C.......................................0............`.........................................0...d.................................... ......................................P...@............P...............................text....?.......@.................. ..`.rdata..nY...P...Z...D..............@..@.data....=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5232408
Entropy (8bit):	5.940072183736028
Encrypted:	false
SSDEEP:	98304:/V+Qs2NuR5YV0L8PQ1CPwDvt3uFlDC4SC9c:9rs2NuDYV0L841CPwDvt3uFlDC4SCa
MD5:	123AD0908C76CCBA4789C084F7A6B8D0
SHA1:	86DE58289C8200ED8C1FC51D5F00E38E32C1AAD5
SHA-256:	4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43
SHA-512:	80FAE0533BA9A2F5FA7806E86F0DB8B6AAB32620DDE33B70A3596938B529F3822856DE75BDDB1B06721F8556EC139D784BC0BB9C8DA0D391DF2C20A80D33CB04
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(..7..<......v........................................0P.......O...`...........................................H.0.....O.@....@O.\|.... L. .....O../...PO.$...`{D.8............................yD.@.............O..............................text.....7.......7................. ..`.rdata........7.......7.............@..@.data...Ao....K..<....K.............@....pdata....... L.......K.............@..@.idata...%....O..&....N.............@..@.00cfg..u....0O.......N.............@..@.rsrc...\|....@O.......N.............@..@.reloc..~....PO.......N.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	792856
Entropy (8bit):	5.57949182561317
Encrypted:	false
SSDEEP:	12288:7LN1sdyIzHHZp5c3nlUa6lxzAG11rbmFe9Xbv:7LgfzH5I3nlUa2AU2Fe9Xbv
MD5:	4FF168AAA6A1D68E7957175C8513F3A2
SHA1:	782F886709FEBC8C7CEBCEC4D92C66C4D5DBCF57
SHA-256:	2E4D35B681A172D3298CAF7DC670451BE7A8BA27C26446EFC67470742497A950
SHA-512:	C372B759B8C7817F2CBB78ECCC5A42FA80BDD8D549965BD925A97C3EEBDCE0335FBFEC3995430064DEAD0F4DB68EBB0134EB686A0BE195630C49F84B468113E3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..\|m..\|m..\|m.u.m..\|m+.}l..\|m.u}l..\|m+..l..\|m+.xl..\|m+.yl..\|m..}l..\|m..}m..\|m..xl..\|m..\|l..\|m...m..\|m..~l..\|mRich..\|m................PE..d......f.........." ...(.>..........K........................................0......!+....`..........................................x...Q..............s.... ...M......./......d...p...8...............................@............................................text....<.......>.................. ..`.rdata..hz...P...\|...B..............@..@.data...qN.......H..................@....pdata..pV... ...X..................@..@.idata...c.......d...^..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..C...........................@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	5.909456553599775
Encrypted:	false
SSDEEP:	1536:j3sHmR02IvVxv7WCyKm7c5Th4JBHTOvyyaZE:jnIvryCyKx5Th4J5OvyyO
MD5:	49AC12A1F10AB93FAFAB064FD0523A63
SHA1:	3AD6923AB0FB5D3DD9D22ED077DB15B42C2FBD4F
SHA-256:	BA033B79E858DBFCBA6BF8FB5AFE10DEFD1CB03957DBBC68E8E62E4DE6DF492D
SHA-512:	1BC0F50E0BB0A9D9DDDAD31390E5C73B0D11C2B0A8C5462065D477E93FF21F7EDC7AA2B2B36E478BE0A797A38F43E3FBEB6AAABEF0BADEC1D8D16EB73DF67255
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nT..5..5..5..#M2. 5..x@..(5..x@..&5..x@.."5..x@...5...k..(5..aM..;5..5...5...@..:5...@..+5...@^.+5...@..+5..Rich*5..................PE..d...._.g.........." .........h......\........................................@............`.........................................0...`.......@.... .......................0..(.......................................8............................................text...h........................... ..`.rdata..\I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\python3.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70416
Entropy (8bit):	6.1258200129869405
Encrypted:	false
SSDEEP:	768:pQEotsskOv6pWVCB4p/uKlZPRQcFIc9qunV0Jku/YFI1Hu1wEBbCpVNyD6VdPxiD:/otssyKcunV8PjZIJy0i7SyWH1
MD5:	16855EBEF31C5B1EBE767F1C617645B3
SHA1:	315521F3A748ABFA35CD4D48E8DD09D0556D989B
SHA-256:	A5C6A329698490A035133433928D04368CE6285BB91A9D074FC285DE4C9A32A4
SHA-512:	C3957B3BD36B10C7AD6EA1FF3BC7BD65CDCEB3E6B4195A25D0649AA0DA179276CE170DA903D77B50A38FC3D5147A45BE32DBCFDBFBF76CC46301199C529ADEA4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%?..a^e.a^e.a^e.).m.`^e.).e.`^e.)..`^e.).g.`^e.Richa^e.........PE..d......g.........." ...)............................................................z.....`.........................................`..................................../..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\python313.dll

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6083856
Entropy (8bit):	6.126922729922386
Encrypted:	false
SSDEEP:	49152:fXGc3O7T4DKX+vLFMmKYxiAYNBD987KdJlI9HbeX2jrgQcw6Zc4h67mM+XDQ3bLi:Of42zJiwJl/YF7v3vaHDMiEN3Kr
MD5:	B9DE917B925DD246B709BB4233777EFD
SHA1:	775F258D8B530C6EA9F0DD3D1D0B61C1948C25D2
SHA-256:	0C0A66505093B6A4BB3475F716BD3D9552095776F6A124709C13B3F9552C7D99
SHA-512:	F4BF3398F50FDD3AB7E3F02C1F940B4C8B5650ED7AF16C626CCD1B934053BA73A35F96DA03B349C1EB614BB23E0BC6B5CC58B07B7553A5C93C6D23124F324A33
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s]{v ]{v ]{v M.w!_{v M.. S{v M.u!Y{v M.r!U{v M.s!P{v T.. G{v ..w!V{v ]{w .zv ..{!.{v ..v!\{v ... \{v ..t!\{v Rich]{v ........................PE..d......g.........." ...).:+..T9......J........................................d.....uF]...`...........................................O.....h.P.......d......0].......\../....d..... A3.T.....................I.(....?3.@............P+..............................text....8+......:+................. ..`.rdata....%..P+...%..>+.............@..@.data...$9....P..N....P.............@....pdata.......0]...... U.............@..@PyRuntim.N...._..P....W.............@....rsrc.........d.......[.............@..@.reloc........d.......[.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\select.pyd

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30992
Entropy (8bit):	6.554484610649281
Encrypted:	false
SSDEEP:	384:7hhxm9tKLhuoNHfzzlvFy0ZZIJ9GckHQIYiSy1pCQ4HWSJIVE8E9VF0Ny6sC:tCytHf98uZIJ9Gx5YiSyvy2ES
MD5:	20831703486869B470006941B4D996F2
SHA1:	28851DFD43706542CD3EF1B88B5E2749562DFEE0
SHA-256:	78E5994C29D8851F28B5B12D59D742D876683AEA58ECEEA1FB895B2036CDCDEB
SHA-512:	4AAF5D66D2B73F939B9A91E7EDDFEB2CE2476C625586EF227B312230414C064AA850B02A4028363AA4664408C9510594754530A6D026A0A84BE0168D677C1BC4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tV..'V..'V..'_.j'T..'F:.&T..'F:.&R..'F:.&^..'F:.&Z..'.;.&T..'V..'...'...&S..'.;.&W..'.;.&W..'.;.'W..'.;.&W..'RichV..'................PE..d.....g.........." ...).....2............................................................`..........................................@..L...<A..x....p.......`.......J.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...p....P.......8..............@....pdata.......`.......:..............@..@.rsrc........p.......>..............@..@.reloc..L............H..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI1802\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	709904
Entropy (8bit):	5.861739047785334
Encrypted:	false
SSDEEP:	12288:FYGdLI/X77mvfldCKGihH32W3cnPSqrUgLIe:FYGW7qNxr3cnPXLIe
MD5:	0902D299A2A487A7B0C2D75862B13640
SHA1:	04BCBD5A11861A03A0D323A8050A677C3A88BE13
SHA-256:	2693C7EE4FBA55DC548F641C0CB94485D0E18596FFEF16541BD43A5104C28B20
SHA-512:	8CBEF5A9F2D24DA1014F8F1CCBDDD997A084A0B04DD56BCB6AC38DDB636D05EF7E4EA7F67A085363AAD3F43D45413914E55BDEF14A662E80BE955E6DFC2FECA3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.............(.....(.....(.....(.....)................).....).....)x....)....Rich..................PE..d.....g.........." ...).B...f......P,..............................................<.....`.........................................P...X................................/..........p...T...........................0...@............`..h............................text....@.......B.................. ..`.rdata...?...`...@...F..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421461468949937
Encrypted:	false
SSDEEP:	6144:YSvfpi6ceLP/9skLmb0OTgWSPHaJG8nAgeMZMMhA2fX4WABlEnNL0uhiTw:jvloTgW+EZMM6DFyx03w
MD5:	94E7D4719E279E186A65E32F69DCCAE3
SHA1:	68589A472DC67CCC5BBCB5711ED0705A4610495D
SHA-256:	12364B06D907EA198FCB8E6E53FCFC6A96EF653E6FFA9D480A97BC6F568214E7
SHA-512:	3F7F853F50425EBCB33893A17339C73AF4C66E4373486558A6B7A55911EC14A9C332C870E865CB0CC71E8EF24B18A58F18EA7F383A81FB37579E2904ABD507D1
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmBN..2H.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.995836813060236
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	check.exe
File size:	38'734'342 bytes
MD5:	00152720a2c1c6969e3581e2dabc6702
SHA1:	0e8926af0ed2d77f193775e682f0a17b7e11b9a1
SHA256:	be4bee2fede8b2fac9d205b935ae47505b5168f675650f520bbe444a2e30f75f
SHA512:	c2b518335a1458db3a94b02cad0814611f68f2516048f321cd182c831009021350fdbe08d5feb70ec7c5032427e89fafa3cf42526dc01d380db57165e12fd307
SSDEEP:	786432:R+gX4BMdhwzTQXR5FbPp6FcSS5U/LT2KzVyPVLBdebXMb8VH/zEa:TXGMK4XR3bLSCU/+6yPl3ebcBa
TLSH:	6A873300E5D409DEE5B22974F4F1528BD559F0EE4B72C3EB81A0025385B7BC09B6EA7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n=..\.Z\.Z\.Za$.[-\.Za$.[.\.Za$.[ \.Z:..Z)\.Z:..[#\.Z:..[;\.Z:..[.\.Za$.[!\.Z\.Z.\.Zb..[3\.Zb..[+\.ZRich*\.Z........PE..d..

File Icon


Icon Hash:	4a464cd47461e179

Static PE Info

General

Entrypoint:	0x14000cdb0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x67514720 [Thu Dec 5 06:24:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F99C4D8AB5Ch
dec eax
add esp, 28h
jmp 00007F99C4D8A77Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F99C4D8AF28h
test eax, eax
je 00007F99C4D8A923h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F99C4D8A907h
dec eax
cmp ecx, eax
je 00007F99C4D8A916h
xor eax, eax
dec eax
cmpxchg dword ptr [0003577Ch], ecx
jne 00007F99C4D8A8F0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F99C4D8A8F9h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F99C4D8A909h
mov byte ptr [00035765h], 00000001h
call 00007F99C4D8A055h
call 00007F99C4D8B340h
test al, al
jne 00007F99C4D8A906h
xor al, al
jmp 00007F99C4D8A916h
call 00007F99C4D97E5Fh
test al, al
jne 00007F99C4D8A90Bh
xor ecx, ecx
call 00007F99C4D8B350h
jmp 00007F99C4D8A8ECh
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0003572Ch], 00000000h
mov ebx, ecx
jne 00007F99C4D8A969h
cmp ecx, 01h
jnbe 00007F99C4D8A96Ch
call 00007F99C4D8AE9Eh
test eax, eax
je 00007F99C4D8A92Ah
test ebx, ebx
jne 00007F99C4D8A926h
dec eax
lea ecx, dword ptr [00035716h]
call 00007F99C4D97C52h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca5c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0xf41c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2250	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x57000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f00	0x2a000	2a7ae207b6295492e9da088072661752	False	0.5514439174107143	data	6.487454925709845	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a50	0x12c00	7031ff2259e89c43b24ad1a8c70aa0dd	False	0.5244661458333333	data	5.752623650869022	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2250	0x2400	f5559f14427a02f0a5dbd0dd026cae54	False	0.470703125	data	5.291665041994019	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0xf41c	0xf600	455788c285fcfdcb4008bc77e762818a	False	0.803099593495935	data	7.5549760623589695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x57000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x47208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.585820895522388
RT_ICON	0x480b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7360108303249098
RT_ICON	0x48958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.755057803468208
RT_ICON	0x48ec0	0x952c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9975384937676757
RT_ICON	0x523ec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.3887966804979253
RT_ICON	0x54994	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.49530956848030017
RT_ICON	0x55a3c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.7207446808510638
RT_GROUP_ICON	0x55ea4	0x68	data	0.7019230769230769
RT_MANIFEST	0x55f0c	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 7, 2024 00:01:07.572634935 CET	49705	443	192.168.2.5	104.20.22.46
Dec 7, 2024 00:01:07.572684050 CET	443	49705	104.20.22.46	192.168.2.5
Dec 7, 2024 00:01:07.572797060 CET	49705	443	192.168.2.5	104.20.22.46
Dec 7, 2024 00:01:07.573765039 CET	49705	443	192.168.2.5	104.20.22.46
Dec 7, 2024 00:01:07.573779106 CET	443	49705	104.20.22.46	192.168.2.5
Dec 7, 2024 00:01:08.798532963 CET	443	49705	104.20.22.46	192.168.2.5
Dec 7, 2024 00:01:08.799455881 CET	49705	443	192.168.2.5	104.20.22.46
Dec 7, 2024 00:01:08.799468040 CET	443	49705	104.20.22.46	192.168.2.5
Dec 7, 2024 00:01:08.800947905 CET	443	49705	104.20.22.46	192.168.2.5
Dec 7, 2024 00:01:08.801004887 CET	49705	443	192.168.2.5	104.20.22.46
Dec 7, 2024 00:01:08.802699089 CET	49705	443	192.168.2.5	104.20.22.46
Dec 7, 2024 00:01:08.802882910 CET	49705	443	192.168.2.5	104.20.22.46

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 7, 2024 00:01:07.427018881 CET	60182	53	192.168.2.5	1.1.1.1
Dec 7, 2024 00:01:07.565669060 CET	53	60182	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 7, 2024 00:01:07.427018881 CET	192.168.2.5	1.1.1.1	0x3e61	Standard query (0)	nodejs.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 7, 2024 00:01:07.565669060 CET	1.1.1.1	192.168.2.5	0x3e61	No error (0)	nodejs.org		104.20.22.46	A (IP address)	IN (0x0001)	false
Dec 7, 2024 00:01:07.565669060 CET	1.1.1.1	192.168.2.5	0x3e61	No error (0)	nodejs.org		104.20.23.46	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	18:00:55
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\check.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\check.exe"
Imagebase:	0x7ff7d43b0000
File size:	38'734'342 bytes
MD5 hash:	00152720A2C1C6969E3581E2DABC6702
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:01:01
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\check.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\check.exe"
Imagebase:	0x7ff7d43b0000
File size:	38'734'342 bytes
MD5 hash:	00152720A2C1C6969E3581E2DABC6702
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:01:05
Start date:	06/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Imagebase:	0x7ff735210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:01:05
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:01:05
Start date:	06/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get manufacturer
Imagebase:	0x7ff660f60000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:01:10
Start date:	06/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2428 -s 920
Imagebase:	0x7ff7e8a70000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	74

Executed Functions

Function 00007FF7D43B89E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7D43B9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7D43B45F4,00000000,00007FF7D43B1985), ref: 00007FF7D43B93C9

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF7D43B3F7F), ref: 00007FF7D43B8A3B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF7D43B3F7F), ref: 00007FF7D43B8A56

Part of subcall function 00007FF7D43CA47C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43CA490

Part of subcall function 00007FF7D43C871C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C8783

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF7D43B3F7F), ref: 00007FF7D43B8AE6
CreateProcessW.KERNELBASE ref: 00007FF7D43B8B1E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7D43B3F7F), ref: 00007FF7D43B8B28

Part of subcall function 00007FF7D43B2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7D43B3706,?,00007FF7D43B3804), ref: 00007FF7D43B2C9E
Part of subcall function 00007FF7D43B2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7D43B3706,?,00007FF7D43B3804), ref: 00007FF7D43B2D63
Part of subcall function 00007FF7D43B2C50: MessageBoxW.USER32 ref: 00007FF7D43B2D99

RegisterClassW.USER32 ref: 00007FF7D43B8B80
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7D43B3F7F), ref: 00007FF7D43B8B8B
CreateWindowExW.USER32 ref: 00007FF7D43B8BD5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7D43B3F7F), ref: 00007FF7D43B8BE7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7D43B3F7F), ref: 00007FF7D43B8C02
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7D43B3F7F), ref: 00007FF7D43B8C15
PeekMessageW.USER32 ref: 00007FF7D43B8C39
TranslateMessage.USER32 ref: 00007FF7D43B8C47
DispatchMessageW.USER32(?,FFFFFFFF,00007FF7D43B3F7F), ref: 00007FF7D43B8C51
PeekMessageW.USER32 ref: 00007FF7D43B8C6C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7D43B3F7F), ref: 00007FF7D43B8C7E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7D43B3F7F), ref: 00007FF7D43B8C99
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF7D43B3F7F), ref: 00007FF7D43B8CAF
GetLastError.KERNEL32(?,FFFFFFFF,00007FF7D43B3F7F), ref: 00007FF7D43B8CB9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF7D43B3F7F), ref: 00007FF7D43B8CC7
DestroyWindow.USER32(?,FFFFFFFF,00007FF7D43B3F7F), ref: 00007FF7D43B8E04
GetExitCodeProcess.KERNELBASE ref: 00007FF7D43B8E19
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF7D43B3F7F), ref: 00007FF7D43B8E22
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF7D43B3F7F), ref: 00007FF7D43B8E2F

Strings

Failed to create child process!, xrefs: 00007FF7D43B8B30
CreateProcessW, xrefs: 00007FF7D43B8B37
PyInstaller Onefile Hidden Window, xrefs: 00007FF7D43B8B95
PyInstallerOnefileHiddenWindow, xrefs: 00007FF7D43B8B54

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction ID: 5b580b6da3799723f6fa9abd2c66d07ec77885ccb2d5fb3566e2f282ba9459c5
Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction Fuzzy Hash: 27D16431A08B8286EB10AF7AE8942ADB760FF84758FC4423EDA5D63A94DF3CD545C710

Function 00007FF7D43B1000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF7D43B39DE
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF7D43B3882, 00007FF7D43B38AF
Failed to start splash screen!, xrefs: 00007FF7D43B3ED4
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF7D43B3A17, 00007FF7D43B3A2F, 00007FF7D43B3A9B
pkg, xrefs: 00007FF7D43B39BE
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF7D43B3BE8
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF7D43B3971
_PYI_ARCHIVE_FILE, xrefs: 00007FF7D43B38D2, 00007FF7D43B39FF
Failed to convert DLL search path!, xrefs: 00007FF7D43B3DDC
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF7D43B3EBB
_PYI_SPLASH_IPC, xrefs: 00007FF7D43B3A23, 00007FF7D43B3EF5
Py_GIL_DISABLED, xrefs: 00007FF7D43B3AF4
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF7D43B3B32
VCRUNTIME140.dll, xrefs: 00007FF7D43B3DB1
MEI, xrefs: 00007FF7D43B3933
pyi-contents-directory, xrefs: 00007FF7D43B3B8D
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF7D43B3E0A
pyi-disable-windowed-traceback, xrefs: 00007FF7D43B3BB2
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF7D43B3A0B, 00007FF7D43B3CD4, 00007FF7D43B3F6B
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF7D43B3EA6
Failed to load splash screen resources!, xrefs: 00007FF7D43B3E85
Could not create temporary directory!, xrefs: 00007FF7D43B3CBF
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF7D43B3D35
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF7D43B3C61
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF7D43B3D12
pyi-runtime-tmpdir, xrefs: 00007FF7D43B3B68
Failed to remove temporary directory: %s, xrefs: 00007FF7D43B3FCF
pyi-python-flag, xrefs: 00007FF7D43B3AD6

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: 37ac403d8761fd058b9686b461d68ce9e356937fc1b7600f6d579266f88744a2
Instruction ID: 72604c8a9e511e5cb9410b9843d910246a1d3d0b788b77069c43dc6b5e438fa2
Opcode Fuzzy Hash: 37ac403d8761fd058b9686b461d68ce9e356937fc1b7600f6d579266f88744a2
Instruction Fuzzy Hash: 93324D21A0869251FA29FF2ED4D53BDBA61AF54780FC4403BDA5D632D6EF2CE558C320

Function 00007FF7D43D5C00 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF7D43D5C45

Part of subcall function 00007FF7D43D5598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D55AC

Part of subcall function 00007FF7D43CA948: RtlFreeHeap.NTDLL(?,?,?,00007FF7D43D2D22,?,?,?,00007FF7D43D2D5F,?,?,00000000,00007FF7D43D3225,?,?,?,00007FF7D43D3157), ref: 00007FF7D43CA95E
Part of subcall function 00007FF7D43CA948: GetLastError.KERNEL32(?,?,?,00007FF7D43D2D22,?,?,?,00007FF7D43D2D5F,?,?,00000000,00007FF7D43D3225,?,?,?,00007FF7D43D3157), ref: 00007FF7D43CA968

Part of subcall function 00007FF7D43CA900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7D43CA8DF,?,?,?,?,?,00007FF7D43CA7CA), ref: 00007FF7D43CA909
Part of subcall function 00007FF7D43CA900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7D43CA8DF,?,?,?,?,?,00007FF7D43CA7CA), ref: 00007FF7D43CA92E

_get_daylight.LIBCMT ref: 00007FF7D43D5C34

Part of subcall function 00007FF7D43D55F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D560C

_get_daylight.LIBCMT ref: 00007FF7D43D5EAA
_get_daylight.LIBCMT ref: 00007FF7D43D5EBB
_get_daylight.LIBCMT ref: 00007FF7D43D5ECC
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7D43D610C), ref: 00007FF7D43D5EF3

Strings

Eastern Summer Time, xrefs: 00007FF7D43D5FB1
Eastern Standard Time, xrefs: 00007FF7D43D5F99

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction ID: 25c5182c0d6b52ea79f682c4aa442bc6802081fc33015a8680aeaabe27487c95
Opcode Fuzzy Hash: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction Fuzzy Hash: 01D1A222A0834246EF24BF2BD4C11BDA7A1EF44794FC8813BEA4D67695DF7CE4418760

Function 00007FF7D43D6964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7D43D6698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D66D9
Part of subcall function 00007FF7D43D6698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D6757
Part of subcall function 00007FF7D43D6698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D67A8

CreateFileW.KERNELBASE ref: 00007FF7D43D6A6A
CreateFileW.KERNEL32 ref: 00007FF7D43D6ABA
GetLastError.KERNEL32 ref: 00007FF7D43D6AEA
GetFileType.KERNELBASE ref: 00007FF7D43D6AFF
GetLastError.KERNEL32 ref: 00007FF7D43D6B09
CloseHandle.KERNEL32 ref: 00007FF7D43D6B3C
CloseHandle.KERNEL32 ref: 00007FF7D43D6C9F
CreateFileW.KERNEL32 ref: 00007FF7D43D6CD4
GetLastError.KERNEL32 ref: 00007FF7D43D6CE3

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: a2b61ef57d07491306da69aca65d17919b21c11bc0ac9c0a220df93c96c0ae77
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: A8C1C436B24A4185EF10DF6AC4906AC7761FB49BA8B89423ADE2E677D4CF38D465C310

Function 00007FF7D43B83C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF7D43B8919,00007FF7D43B3FA5), ref: 00007FF7D43B842B
RemoveDirectoryW.KERNEL32(?,00007FF7D43B8919,00007FF7D43B3FA5), ref: 00007FF7D43B84AE
DeleteFileW.KERNELBASE(?,00007FF7D43B8919,00007FF7D43B3FA5), ref: 00007FF7D43B84CD
FindNextFileW.KERNELBASE(?,00007FF7D43B8919,00007FF7D43B3FA5), ref: 00007FF7D43B84DB
FindClose.KERNEL32(?,00007FF7D43B8919,00007FF7D43B3FA5), ref: 00007FF7D43B84EC
RemoveDirectoryW.KERNELBASE(?,00007FF7D43B8919,00007FF7D43B3FA5), ref: 00007FF7D43B84F5

Strings

%s\*, xrefs: 00007FF7D43B83F2

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction ID: 6d4d10b52c2c124f219353ad8e3063fa51ef2770cb3fe6e23b3050135f365255
Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction Fuzzy Hash: 99415321A0C54286EE24BF6AE4C42BEB760FB94754FD4023BD59D62698DF3CD545C720

Function 00007FF7D43D5E7C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF7D43D5EAA

Part of subcall function 00007FF7D43D55F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D560C

_get_daylight.LIBCMT ref: 00007FF7D43D5EBB

Part of subcall function 00007FF7D43D5598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D55AC

_get_daylight.LIBCMT ref: 00007FF7D43D5ECC

Part of subcall function 00007FF7D43D55C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D55DC

Part of subcall function 00007FF7D43CA948: RtlFreeHeap.NTDLL(?,?,?,00007FF7D43D2D22,?,?,?,00007FF7D43D2D5F,?,?,00000000,00007FF7D43D3225,?,?,?,00007FF7D43D3157), ref: 00007FF7D43CA95E
Part of subcall function 00007FF7D43CA948: GetLastError.KERNEL32(?,?,?,00007FF7D43D2D22,?,?,?,00007FF7D43D2D5F,?,?,00000000,00007FF7D43D3225,?,?,?,00007FF7D43D3157), ref: 00007FF7D43CA968

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7D43D610C), ref: 00007FF7D43D5EF3

Strings

Eastern Summer Time, xrefs: 00007FF7D43D5FB1
Eastern Standard Time, xrefs: 00007FF7D43D5F99

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction ID: 0856337e16231efd345ccd3a63400b4bf93522f61881fb05c1f04d83322a4db1
Opcode Fuzzy Hash: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction Fuzzy Hash: D1516132A0864286EB14FF2BD4C15ADE761BB48784FC8413FEA4D67695DF3CE4408B60

Function 00007FF7D43B9280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF7D43B92B3
FindClose.KERNELBASE ref: 00007FF7D43B92C2

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: 2ea62085fb6fed321ee299051854f853263a509f7a04d2f2306ecf974ddb865e
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: 6AF0A422A1864586F7609F69F4C976EB750AB88364FC4433AD96D16AD4DF3CD048CA14

Function 00007FF7D43D08C8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction ID: 81a9543ca59992b77bedca11f61435264395a753f63d270eb4f433a4468879cc
Opcode Fuzzy Hash: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction Fuzzy Hash: 6202AD21A1D64641FE65BF1BE48127DA6A0AF41FA4FC9463FE95D673D1DF3CA4008320

Function 00007FF7D43B1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7D43B7F90: _fread_nolock.LIBCMT ref: 00007FF7D43B803A

_fread_nolock.LIBCMT ref: 00007FF7D43B1A1B

Part of subcall function 00007FF7D43B2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7D43B1B6A), ref: 00007FF7D43B295E

Strings

malloc, xrefs: 00007FF7D43B1B22
fseek, xrefs: 00007FF7D43B19F5
Failed to seek to cookie position!, xrefs: 00007FF7D43B19EE
Failed to read cookie!, xrefs: 00007FF7D43B1A2B
Could not allocate buffer for TOC!, xrefs: 00007FF7D43B1B1B
Could not read full TOC!, xrefs: 00007FF7D43B1B55
fread, xrefs: 00007FF7D43B1A32, 00007FF7D43B1B5C
MEI, xrefs: 00007FF7D43B1991
Error on file., xrefs: 00007FF7D43B1B8D
calloc, xrefs: 00007FF7D43B1A68
Could not allocate memory for archive structure!, xrefs: 00007FF7D43B1A61

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 036f9d3cdbd1396aaf8833eae6c4de727a356ce5069b7f611becf911bb1bd3df
Instruction ID: 824d2473eb8f6171a6f50f58506528120b94b9b6566953afb56c3dcadc9151d2
Opcode Fuzzy Hash: 036f9d3cdbd1396aaf8833eae6c4de727a356ce5069b7f611becf911bb1bd3df
Instruction Fuzzy Hash: FA818E71A0868686EF20EF2AE0C53BDB7A0AF84784FC4453BD98D67685DE3CE5458760

Function 00007FF7D43B1600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

malloc, xrefs: 00007FF7D43B1749
fseek, xrefs: 00007FF7D43B16E1
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF7D43B17CA
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7D43B17DF
fopen, xrefs: 00007FF7D43B1663
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7D43B16A2
fread, xrefs: 00007FF7D43B17E6
Failed to extract %s: failed to open target file!, xrefs: 00007FF7D43B165C
fwrite, xrefs: 00007FF7D43B17D1
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF7D43B1742
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7D43B16DA
Failed to create symbolic link %s!, xrefs: 00007FF7D43B1622

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 2c21444116fb529e0d1b87b05987736bebf23b7c5b6a8072b3180d2b25cea00d
Instruction ID: 44ab690e0a8d3ef547bebc3befc8e2bfaa0f28e3717a0c25ac393cc95f2bc013
Opcode Fuzzy Hash: 2c21444116fb529e0d1b87b05987736bebf23b7c5b6a8072b3180d2b25cea00d
Instruction Fuzzy Hash: E551AC21B0868292EE10BF5BE4812ADB7A0BF447A4FC4413BEE5C67796DF3CE5558320

Function 00007FF7D43B8660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF7D43B3CBB), ref: 00007FF7D43B8704
GetCurrentProcessId.KERNEL32(?,00000000,00007FF7D43B3CBB), ref: 00007FF7D43B870A
CreateDirectoryW.KERNELBASE(?,00000000,00007FF7D43B3CBB), ref: 00007FF7D43B874C

Part of subcall function 00007FF7D43B8830: GetEnvironmentVariableW.KERNEL32(00007FF7D43B388E), ref: 00007FF7D43B8867
Part of subcall function 00007FF7D43B8830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7D43B8889

Part of subcall function 00007FF7D43C8238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C8251

Part of subcall function 00007FF7D43B2810: MessageBoxW.USER32 ref: 00007FF7D43B28EA

Strings

_MEI%d, xrefs: 00007FF7D43B8712
TMP, xrefs: 00007FF7D43B869C, 00007FF7D43B87A3
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF7D43B877E
LOADER: failed to set the TMP environment variable., xrefs: 00007FF7D43B86DC
TMP, xrefs: 00007FF7D43B86C2

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction ID: 97aca771e80ed60011dac2db8a3ed92ecbb7f76a6c283bee24f91f5bcec03904
Opcode Fuzzy Hash: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction Fuzzy Hash: E6419E11A19A8245FA24BF2FD8D53BDA690AF847C4FC4413BED4D7779AEE3CE5018220

Function 00007FF7D43B1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

malloc, xrefs: 00007FF7D43B12C1, 00007FF7D43B12F6
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF7D43B12EF
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF7D43B141E
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF7D43B1276
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7D43B12BA
1.3.1, xrefs: 00007FF7D43B1249

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 8f2f3123d1cabff2ad8e3db6a95d4b235f7cad2490955ba460222a7cf36d71df
Instruction ID: 512ef90e2a641a1b6f1e16ff55588882a023082317670638f7f77c411bf65467
Opcode Fuzzy Hash: 8f2f3123d1cabff2ad8e3db6a95d4b235f7cad2490955ba460222a7cf36d71df
Instruction Fuzzy Hash: 8651A422A0864285EA60BF1BE4803BEB6A0AF85794FD4413AED4D677D5EF3CE5018710

Function 00007FF7D43CED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF7D43CF0AA,?,?,-00000018,00007FF7D43CAD53,?,?,?,00007FF7D43CAC4A,?,?,?,00007FF7D43C5F3E), ref: 00007FF7D43CEE8C
GetProcAddress.KERNEL32(?,?,?,00007FF7D43CF0AA,?,?,-00000018,00007FF7D43CAD53,?,?,?,00007FF7D43CAC4A,?,?,?,00007FF7D43C5F3E), ref: 00007FF7D43CEE98

Strings

ext-ms-, xrefs: 00007FF7D43CEDE9
api-ms-, xrefs: 00007FF7D43CEDD6

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction ID: 2e4a877a5b0a577316c23d7be5c8f72bbdf7e5a1e96796032353cb711f5b129d
Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction Fuzzy Hash: 1B41C621719A1281EA25EF2BD88157DA291FF48BE0FC8453EDD1D67784EF3CE4858324

Function 00007FF7D43B36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF7D43B3804), ref: 00007FF7D43B36E1
GetLastError.KERNEL32(?,00007FF7D43B3804), ref: 00007FF7D43B36EB

Part of subcall function 00007FF7D43B2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7D43B3706,?,00007FF7D43B3804), ref: 00007FF7D43B2C9E
Part of subcall function 00007FF7D43B2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7D43B3706,?,00007FF7D43B3804), ref: 00007FF7D43B2D63
Part of subcall function 00007FF7D43B2C50: MessageBoxW.USER32 ref: 00007FF7D43B2D99

Strings

Failed to resolve full path to executable %ls., xrefs: 00007FF7D43B3739
Failed to convert executable path to UTF-8., xrefs: 00007FF7D43B3790
GetModuleFileNameW, xrefs: 00007FF7D43B36FA
Failed to obtain executable path., xrefs: 00007FF7D43B36F3
\\?\, xrefs: 00007FF7D43B375A

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: 54fdb2aee952bfb876dd1f97624ae0d90af744088bee90f44ca2fdcae74792ae
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: 68217461B1864241FA24BF2EE8953BEB650BF88354FC4423FD95DA65D5EF2CE504C720

Function 00007FF7D43CBA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43CBE89

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1c0df5e74df0118619baac061aee596465bcef498cfc928fc9eaa168a483e3b3
Instruction ID: 46f618c365f3b61c13a918a82f21e23b62b14c6f084f718338dfb476e8e12c63
Opcode Fuzzy Hash: 1c0df5e74df0118619baac061aee596465bcef498cfc928fc9eaa168a483e3b3
Instruction Fuzzy Hash: FCC1052290C68682E770AF1EE4842BDB751EB81B90FD5413AEA4D273D1CF7DE8658720

Function 00007FF7D43B8570 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7D43B8590
OpenProcessToken.ADVAPI32 ref: 00007FF7D43B85A3
GetTokenInformation.KERNELBASE ref: 00007FF7D43B85C8
GetLastError.KERNEL32 ref: 00007FF7D43B85D2
GetTokenInformation.KERNELBASE ref: 00007FF7D43B8612
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7D43B862E
CloseHandle.KERNEL32 ref: 00007FF7D43B8646

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction ID: a1977d4aa51ccf2ba80608171d989dd2b3a52bd4cdcd4f9d9124cf450013e41a
Opcode Fuzzy Hash: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction Fuzzy Hash: 2D214121A0C64242EA14AF5EF58432EF7A0EF857B0FD4063AEAAD53AD8DF6CD5458710

Function 00007FF7D43B90E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7D43B8570: GetCurrentProcess.KERNEL32 ref: 00007FF7D43B8590
Part of subcall function 00007FF7D43B8570: OpenProcessToken.ADVAPI32 ref: 00007FF7D43B85A3
Part of subcall function 00007FF7D43B8570: GetTokenInformation.KERNELBASE ref: 00007FF7D43B85C8
Part of subcall function 00007FF7D43B8570: GetLastError.KERNEL32 ref: 00007FF7D43B85D2
Part of subcall function 00007FF7D43B8570: GetTokenInformation.KERNELBASE ref: 00007FF7D43B8612
Part of subcall function 00007FF7D43B8570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7D43B862E
Part of subcall function 00007FF7D43B8570: CloseHandle.KERNEL32 ref: 00007FF7D43B8646

LocalFree.KERNEL32(?,00007FF7D43B3C55), ref: 00007FF7D43B916C
LocalFree.KERNEL32(?,00007FF7D43B3C55), ref: 00007FF7D43B9175

Strings

D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF7D43B9142
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF7D43B9183
S-1-3-4, xrefs: 00007FF7D43B9121
D:(A;;FA;;;%s), xrefs: 00007FF7D43B9157

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction ID: f52aad35525bffb2e76241ef717f430d7290021ec0737eb210e2e1f7de73b1c7
Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction Fuzzy Hash: 3A214F21A0868242FA10BF1AE4953EEB660EF88780FC4403BEA5D63796DF3CD905C760

Function 00007FF7D43B7E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00000000,?,00007FF7D43B352C,?,00000000,00007FF7D43B3F23), ref: 00007FF7D43B7F32

Strings

%.*s, xrefs: 00007FF7D43B7EEB
%s%c, xrefs: 00007FF7D43B7EA4
\, xrefs: 00007FF7D43B7E97

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 9023beffec3a57a4629e8abb22503f1b718fcdb28fa34784c50d465fb9ddbb72
Instruction ID: 0cd3f543de66e71187dc65d48d8441a9b79d551049fc88cddd15afdf97df725d
Opcode Fuzzy Hash: 9023beffec3a57a4629e8abb22503f1b718fcdb28fa34784c50d465fb9ddbb72
Instruction Fuzzy Hash: B131A921619AC145EB61AF2AE8907AEB754EF84BE0FC4023AEA6D577C5DF3CD6018710

Function 00007FF7D43CCF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D43CCF4B), ref: 00007FF7D43CD07C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D43CCF4B), ref: 00007FF7D43CD107

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction ID: 6275c8419f750ecd2caaa7894b87b3ca6f530528f511b25d46c4afb8cff72d8d
Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction Fuzzy Hash: 38918632E1869185F770AF6FD48067DABA0AB44794FD4413EEE0E76A85DF39D442C720

Function 00007FF7D43CF98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7D43CFA7C
_get_daylight.LIBCMT ref: 00007FF7D43CFA8D
_get_daylight.LIBCMT ref: 00007FF7D43CFA9E
_isindst.LIBCMT ref: 00007FF7D43CFB69

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: 72ac2b92f2e63b1c286c088c90f0b7136e127319c73359ee786eaabb5065f0fe
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: C051F972F0461186EB24EF6DD9D56BCA761AB44358FD4023FED1E62AD5DF38A402C710

Function 00007FF7D43C577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF7D43C57AF
GetFileInformationByHandle.KERNELBASE ref: 00007FF7D43C5811
GetLastError.KERNEL32 ref: 00007FF7D43C58A2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D43C56B4), ref: 00007FF7D43C58EE

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 6aefb500db5e0848cb3e1a230f039049599ff649377a7022c72adab745f1037c
Instruction ID: 818dba986166fd1c3337eb620ed5282bc43c27f751ae8f0862440a2c06e682c6
Opcode Fuzzy Hash: 6aefb500db5e0848cb3e1a230f039049599ff649377a7022c72adab745f1037c
Instruction Fuzzy Hash: 93516222F047518AFB60EF7AD4903BDB7A1AB48B98FD4453ADE0D67689DF38D4418720

Function 00007FF7D43C5628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C5655
CreateFileW.KERNELBASE ref: 00007FF7D43C5694
CloseHandle.KERNEL32 ref: 00007FF7D43C56C9

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
Instruction ID: cb4340ffe6a61bd02863a6f98e75e545ef4d1cf6a32b3533f7f837bdd9b72c2b
Opcode Fuzzy Hash: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
Instruction Fuzzy Hash: 02419422D1879183F760AF26D59036DB260FBA47A4FD0933AE65C23AD5DF7CA5E08710

Function 00007FF7D43BCC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D43BCE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7D43BCE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7D43BCC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF7D43BCCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7D43BCD21

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: ca7aba65b0d833ff85e6038476c38b746f72a8c5657f5fcb8d65b346c8953189
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: AB312725E0854681FE64BF6FD4A13BDAA919F41384FC4403FDA0E6B2D7DE2DA805CA70

Function 00007FF7D43C9A30 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7D43C9A2C), ref: 00007FF7D43C9A41
TerminateProcess.KERNEL32(?,?,?,00007FF7D43C9A2C), ref: 00007FF7D43C9A4C
ExitProcess.KERNEL32 ref: 00007FF7D43C9A5B

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction ID: c0442da44e629a4945d29c46f38ac45b1616e294b10776bbb28b5c6ce3a3a624
Opcode Fuzzy Hash: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction Fuzzy Hash: FFD09E18B0874652EF283F7ADCD507C92556F48721FD9147EC81B2639BDE2CA8494320

Function 00007FF7D43C013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C0180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C0277

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: a68b6c7c9558c27f314af6e5e2e84bb04beaf29493bdcea112f05246d962c533
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: 0651B725A092C186EA34BEAFD48067EE5B1AF44BA4FD8473ADD7D277C5CE3CD4018620

Function 00007FF7D43CC134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF7D43CC2CD), ref: 00007FF7D43CC180
GetLastError.KERNEL32(?,?,?,?,?,00007FF7D43CC2CD), ref: 00007FF7D43CC18A

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: d63f7d062aac529168779fd1bbb4d0ce98b311ed47d1d12d8395a7d2e0dd5a70
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: 81119061A08A8181DA20AF2BE89416DA261AB85BF4FD4433AEE7D177D9CF38D4118700

Function 00007FF7D43C5924 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D43C5839), ref: 00007FF7D43C5957
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7D43C5839), ref: 00007FF7D43C596D

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
Instruction ID: 7525f55393c701185841ead285fed7bab545cefd5f2a0953b0654d7c97fd2cf5
Opcode Fuzzy Hash: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
Instruction Fuzzy Hash: E411822160C71282EB646F1AE49113EF760EB84771FD0023BF699919E8EF2CD414DB20

Function 00007FF7D43CA948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF7D43D2D22,?,?,?,00007FF7D43D2D5F,?,?,00000000,00007FF7D43D3225,?,?,?,00007FF7D43D3157), ref: 00007FF7D43CA95E
GetLastError.KERNEL32(?,?,?,00007FF7D43D2D22,?,?,?,00007FF7D43D2D5F,?,?,00000000,00007FF7D43D3225,?,?,?,00007FF7D43D3157), ref: 00007FF7D43CA968

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction ID: 7c3036fa893bd987839bc775c35e8dc9af90cb5a80fe29829e7a530f3be7f522
Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction Fuzzy Hash: 0CE04F10E0924643FF287FFBD8C513C92505F94740FC5403EC80D72291EE2C68418230

Function 00007FF7D43CAB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF7D43CA9D5,?,?,00000000,00007FF7D43CAA8A), ref: 00007FF7D43CABC6
GetLastError.KERNEL32(?,?,?,00007FF7D43CA9D5,?,?,00000000,00007FF7D43CAA8A), ref: 00007FF7D43CABD0

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: 2974cffc636d9c0a5b30270d41910ad8720be1d0298acce6a24c4eb682af1a77
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: 3021A411B0868242FEB4BF6BD4D437D92929F847A0FC8423FDA6E677D5DE6DA4414320

Function 00007FF7D43CBEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43CBED4

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: 1bd4e377664ba382f39f2238ad2dd08f07c6639419b99fc771439467a45d3df4
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: B641B63291824587EA34AF2EF58027DB3A0EB55B91FD0013AD68E977D1CF2CE412CB61

Function 00007FF7D43B7F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF7D43B803A

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 7026eb3b68f3585a2f5768ea15c5ca7bda34a28a3ae4cdbb6486ed2f903c9d01
Instruction ID: 070fb9b29dd4c9aeb36f998130997601873fd2dd2ac891ff60cd9d595a3629b6
Opcode Fuzzy Hash: 7026eb3b68f3585a2f5768ea15c5ca7bda34a28a3ae4cdbb6486ed2f903c9d01
Instruction Fuzzy Hash: CC21B911B18A9257FA14BE1BE5443BEEA51BF45BC4FC84436EE4C27786CE7DE045C220

Function 00007FF7D43CB93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43CB9C2

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction ID: a0e2f4fa19cf3fc71402316e751c3928f6e32245b25b369d47c92bfb2bc7bd51
Opcode Fuzzy Hash: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction Fuzzy Hash: 9D315E22A1861286E7217F5BD88137CAA90AF90BA5FD2013FE95D373D2CE7CA4518731

Function 00007FF7D43C9961 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7D43C998F

Part of subcall function 00007FF7D43C9A88: GetModuleHandleExW.KERNEL32 ref: 00007FF7D43C9AAD
Part of subcall function 00007FF7D43C9A88: GetProcAddress.KERNEL32 ref: 00007FF7D43C9AC3
Part of subcall function 00007FF7D43C9A88: FreeLibrary.KERNEL32 ref: 00007FF7D43C9AEA

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction ID: 5814e3b10a136553733faf295a1c885d7719efb8acf1a6b0a67e36439b5f9014
Opcode Fuzzy Hash: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction Fuzzy Hash: 65217F72A147458AEB24AF69C4C02EC73A0FB44718FC5463BD75D26AD9DF38D544C750

Function 00007FF7D43C5F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C5EF9

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 22fb7ce461a002467d1de3ea9f6010fccbafd4eb18a8ad8cafcd1aeef6ae697b
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: B1115421A1C751C2EB70BF5AD4802BDE664AF95B84FC4443BEA4C77A96CF7DE4008720

Function 00007FF7D43D6354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D6377

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: c260e068dfd4336831760958f96e365d554504c99bc46d85a34a761bd948f96f
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: 3A21B332608A4187DB60AF1ED48037DB6A0BB84B54FEC4239E66D576D9DF3CD4218B10

Function 00007FF7D43C03BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C0410

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 38393aa62a37908c52c274a31113e7b95a9191b3a2ebd4ad43fc42d74e7f1260
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: FF018221A0879541EA24BF9BD94016EE6B1AF95FE0FD8463ADE5C23BD6CE3CD4018710

Function 00007FF7D43C7EFC Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C7F3A

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb4e03bbc0b04cbc85d5aa4284f536322b5632f0a5d263bd1b62b358e696f9c3
Instruction ID: 05d1aa1d04b1c063838f3e3629079a7d2c6f6a32f9f238b9e5b83337787cc33b
Opcode Fuzzy Hash: eb4e03bbc0b04cbc85d5aa4284f536322b5632f0a5d263bd1b62b358e696f9c3
Instruction Fuzzy Hash: 51015720E1D68381FE707E6BE5C12BE9690AF44790FC4423FEE6C62AC6DF2CA4514230

Function 00007FF7D43C8238 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C8251

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction ID: fff316644e56e39322f84602e9b6f9a509c7afe0950fab6c40f4455d1532e16e
Opcode Fuzzy Hash: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction Fuzzy Hash: 5DE08C50E0C60787FA393EAEC4C627C94208FA5340FC0003EE908362C3DD2C78445232

Function 00007FF7D43CEB98 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF7D43CB32A,?,?,?,00007FF7D43C4F11,?,?,?,?,00007FF7D43CA48A), ref: 00007FF7D43CEBED

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction ID: 8230caa11b1693076b3ccf12e2e043f43cf2fea8bde15c407dcaae39a52e80fb
Opcode Fuzzy Hash: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction Fuzzy Hash: 27F03C58B0D20641FE687EAFD8962BC92915F88B40FCC553AC90F662C1DE1CA4804230

Function 00007FF7D43CD5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF7D43C0C90,?,?,?,00007FF7D43C22FA,?,?,?,?,?,00007FF7D43C3AE9), ref: 00007FF7D43CD63A

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: 3744a3660ed03ebe4dab6f64b2eb9a77a75bb8c579c67eae31f4696e142a362d
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: 69F0FE50B0928645FE747F7BD8C167DD2905F847A0FC8073AED2E652C1DE2CA490D530

Non-executed Functions

Function 00007FF7D43B76C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF7D43B76D7
GetLastError.KERNEL32 ref: 00007FF7D43B76E9
GetProcAddress.KERNEL32 ref: 00007FF7D43B7725
GetLastError.KERNEL32 ref: 00007FF7D43B7737
GetProcAddress.KERNEL32 ref: 00007FF7D43B7750
GetLastError.KERNEL32 ref: 00007FF7D43B7762
GetProcAddress.KERNEL32 ref: 00007FF7D43B777B
GetLastError.KERNEL32 ref: 00007FF7D43B778D
GetProcAddress.KERNEL32 ref: 00007FF7D43B77A9
GetLastError.KERNEL32 ref: 00007FF7D43B77BB
GetProcAddress.KERNEL32 ref: 00007FF7D43B77D7
GetLastError.KERNEL32 ref: 00007FF7D43B77E9
GetProcAddress.KERNEL32 ref: 00007FF7D43B7805
GetLastError.KERNEL32 ref: 00007FF7D43B7817
GetProcAddress.KERNEL32 ref: 00007FF7D43B7833
GetLastError.KERNEL32 ref: 00007FF7D43B7845
GetProcAddress.KERNEL32 ref: 00007FF7D43B7861
GetLastError.KERNEL32 ref: 00007FF7D43B7873

Strings

Tcl_NewStringObj, xrefs: 00007FF7D43B7ADB, 00007FF7D43B7AFD
Tcl_EvalEx, xrefs: 00007FF7D43B7BC1, 00007FF7D43B7BE3
Failed to get address for %hs, xrefs: 00007FF7D43B76F8
Tcl_Alloc, xrefs: 00007FF7D43B7C1D, 00007FF7D43B7C3F
Tk_GetNumMainWindows, xrefs: 00007FF7D43B7CA7, 00007FF7D43B7CC9
Tcl_MutexFinalize, xrefs: 00007FF7D43B790F, 00007FF7D43B7931
Tcl_GetString, xrefs: 00007FF7D43B7AAD, 00007FF7D43B7ACF
Tcl_Init, xrefs: 00007FF7D43B76D0, 00007FF7D43B76EF
Tcl_MutexUnlock, xrefs: 00007FF7D43B78E1, 00007FF7D43B7903
Tcl_SetVar2Ex, xrefs: 00007FF7D43B7B37, 00007FF7D43B7B59
Tcl_MutexLock, xrefs: 00007FF7D43B78B3, 00007FF7D43B78D5
Tcl_ThreadQueueEvent, xrefs: 00007FF7D43B79C7, 00007FF7D43B79E9
Tcl_EvalFile, xrefs: 00007FF7D43B7B93, 00007FF7D43B7BB5
Tcl_FinalizeThread, xrefs: 00007FF7D43B77CD, 00007FF7D43B77EF
Tcl_FindExecutable, xrefs: 00007FF7D43B7746, 00007FF7D43B7768
Tcl_CreateInterp, xrefs: 00007FF7D43B771B, 00007FF7D43B773D
Tcl_GetCurrentThread, xrefs: 00007FF7D43B7857, 00007FF7D43B7879
Tcl_CreateThread, xrefs: 00007FF7D43B7829, 00007FF7D43B784B
Tcl_CreateObjCommand, xrefs: 00007FF7D43B7A7F, 00007FF7D43B7AA1
Tcl_DeleteInterp, xrefs: 00007FF7D43B77FB, 00007FF7D43B781D
Tcl_ConditionWait, xrefs: 00007FF7D43B7999, 00007FF7D43B79BB
Tcl_Free, xrefs: 00007FF7D43B7C4B, 00007FF7D43B7C6D
Tcl_JoinThread, xrefs: 00007FF7D43B7885, 00007FF7D43B78A7
Tcl_ConditionFinalize, xrefs: 00007FF7D43B793D, 00007FF7D43B795F
Tk_Init, xrefs: 00007FF7D43B7C79, 00007FF7D43B7C9B
Tcl_ConditionNotify, xrefs: 00007FF7D43B796B, 00007FF7D43B798D
Tcl_GetVar2, xrefs: 00007FF7D43B7A23, 00007FF7D43B7A45
Tcl_DoOneEvent, xrefs: 00007FF7D43B7771, 00007FF7D43B7793
GetProcAddress, xrefs: 00007FF7D43B76FF
Tcl_ThreadAlert, xrefs: 00007FF7D43B79F5, 00007FF7D43B7A17
Tcl_Finalize, xrefs: 00007FF7D43B779F, 00007FF7D43B77C1
Tcl_GetObjResult, xrefs: 00007FF7D43B7B65, 00007FF7D43B7B87
Tcl_NewByteArrayObj, xrefs: 00007FF7D43B7B09, 00007FF7D43B7B2B
Tcl_SetVar2, xrefs: 00007FF7D43B7A51, 00007FF7D43B7A73
Tcl_EvalObjv, xrefs: 00007FF7D43B7BEF, 00007FF7D43B7C11

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction ID: 2807a74532913eb0e0471a253c95a0a47d403eee014a8e1bdb0a747dbaecc66d
Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction Fuzzy Hash: 5602A224A49B4791FE55FF5FE8D06BCB6A1AF08754BD8013FD42E26260EF3CB5498220

Function 00007FF7D43D40AC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF7D43D40FA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D4766
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D48DC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D4B9A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D4DBA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D4FF7
memcpy_s.LIBCPMT ref: 00007FF7D43D50D2
memcpy_s.LIBCPMT ref: 00007FF7D43D517D
memcpy_s.LIBCPMT ref: 00007FF7D43D524C

Strings

1#IND, xrefs: 00007FF7D43D41E7
1#QNAN, xrefs: 00007FF7D43D4213
1#SNAN, xrefs: 00007FF7D43D420A
1#INF, xrefs: 00007FF7D43D4223

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction ID: f08ff340588555f39f5447e994592f5c0243892783390013959e388e4816b213
Opcode Fuzzy Hash: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction Fuzzy Hash: 6DB2EA72E182924BEB249E6ED5807FDB7A1FB54348FD8513ADA0D77A84DB38E500CB50

Function 00007FF7D43BACAD Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid code lengths set, xrefs: 00007FF7D43BAE2D
invalid distances set, xrefs: 00007FF7D43BB1A0
invalid literal/length code, xrefs: 00007FF7D43BB3E2
too many length or distance symbols, xrefs: 00007FF7D43BAE46
invalid distance too far back, xrefs: 00007FF7D43BB670
invalid literal/lengths set, xrefs: 00007FF7D43BB133
invalid code -- missing end-of-block, xrefs: 00007FF7D43BB0C6
invalid distance code, xrefs: 00007FF7D43BB5B4
invalid bit length repeat, xrefs: 00007FF7D43BB099

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 55880860ec2df9374ed9e05eb7c1f9660e2769407a38999da05ffb99d6c3dc89
Instruction ID: 5c21b5596f2f920c8445323b55ece997929207730de48e213ef86e6ab6e0e9e5
Opcode Fuzzy Hash: 55880860ec2df9374ed9e05eb7c1f9660e2769407a38999da05ffb99d6c3dc89
Instruction Fuzzy Hash: E152E572A146E58BE7A4AF19C498B7E7BA9FB44340F81413EE64A97780DF3CD844CB50

Function 00007FF7D43BD12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7D43BD148
RtlCaptureContext.KERNEL32 ref: 00007FF7D43BD175
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7D43BD18F
RtlVirtualUnwind.KERNEL32 ref: 00007FF7D43BD1D0
IsDebuggerPresent.KERNEL32 ref: 00007FF7D43BD224
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7D43BD241
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7D43BD24C

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction ID: 7126b5df603f13df858fea1923e72a6348aa147e0463bcddd6330186f0c09073
Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction Fuzzy Hash: 66313272608B8186EB60AF65E8803EEB364FB84754F84403EDA4E57B98DF3CD548C720

Function 00007FF7D43CA614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7D43CA68D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7D43CA6A5
RtlVirtualUnwind.KERNEL32 ref: 00007FF7D43CA6E0
IsDebuggerPresent.KERNEL32 ref: 00007FF7D43CA719
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7D43CA723
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7D43CA72E

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction ID: 0388e69b761e88577bb386e707efe884bc6ad6fe54bddd7aaf6b552db4ca4395
Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction Fuzzy Hash: 40318636608B8186DB60EF2AE8843AEB3A4FB84754FD4013AEA9D53B55DF3CC555CB10

Function 00007FF7D43D1874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D18C0
FindFirstFileExW.KERNEL32 ref: 00007FF7D43D19CA

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction ID: 3eea3d3c122516247635cfd229f0a7acb762a689d787cee6900f724db6b898f9
Opcode Fuzzy Hash: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction Fuzzy Hash: A0B1A422B1868642EE60AF6BD5842BDE250EB44BE4FC8513BE95D27B89DF3CE441C310

Function 00007FF7D43BD010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7D43BD03C
GetCurrentThreadId.KERNEL32 ref: 00007FF7D43BD04A
GetCurrentProcessId.KERNEL32 ref: 00007FF7D43BD056
QueryPerformanceCounter.KERNEL32 ref: 00007FF7D43BD066

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction ID: d7c8d1c74602602a53b700d1793dec442f55a6860364db5863319be53049dcf5
Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction Fuzzy Hash: B0114C22B14F058AEF009F66E8852AD73A4FB19758F840E3ADA2D56BA8DF38D5548350

Function 00007FF7D43D3C10 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF7D43D3C76
memcpy_s.LIBCPMT ref: 00007FF7D43D3CA1

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 66b89930b986d50f6f2da0d77575af3bfc4acf4e7b5a03a1328fbe17b04eb4a1
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 6EC1D772B1968587DB24DF1AE0846ADF791F794784FC8813ADB4A63784DB3DE901CB40

Function 00007FF7D43BA474 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

header crc mismatch, xrefs: 00007FF7D43BA921
, xrefs: 00007FF7D43BA55B
unknown header flags set, xrefs: 00007FF7D43BA4C5

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: fcf6ea83c7a46010d3591867e81b0f53761d3f113121264a3729654d2d1b513f
Instruction ID: 19fa2bfab0bab03c51a25ecb01348565f0bdd2a1d595a7344a115a3ad38ddd67
Opcode Fuzzy Hash: fcf6ea83c7a46010d3591867e81b0f53761d3f113121264a3729654d2d1b513f
Instruction Fuzzy Hash: 64F19272A187D54BE7A5AF1AC0C8B3EBEA9EF44740F85413EDA8967790CB38D540C750

Function 00007FF7D43D9728 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF7D43D9977
RaiseException.KERNEL32 ref: 00007FF7D43D9988

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction ID: 255a090815576ccdb8336a98c42f9d5b3d7b4d408c6ac6ba5fc42b1a2b19b85c
Opcode Fuzzy Hash: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction Fuzzy Hash: 16B16E73A04B898BEB15CF2EC88636C77A0FB44F48F598926DA5D937A8CB39D451C710

Function 00007FF7D43C39A4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF7D43C3D54
, xrefs: 00007FF7D43C3B12

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction ID: 9d70072b7aa10a34cfabdb79654adc2ee90b0e756dbd78acddfd640a336aac18
Opcode Fuzzy Hash: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction Fuzzy Hash: 06E19236A0864285EB7CAE2EC0D413DB360EF45B58FD4513EDA0E676D4DF2AE861C760

Function 00007FF7D43BA2DB Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF7D43BA442
incorrect header check, xrefs: 00007FF7D43BA45B

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 7e7bac63e97a7e962ac1d8bc37368dc0e110af78d4507200a91f80e7c7b94e68
Instruction ID: 2760d27539768b171078c466b010f310338b2ec8273cba2dcf11e627df272665
Opcode Fuzzy Hash: 7e7bac63e97a7e962ac1d8bc37368dc0e110af78d4507200a91f80e7c7b94e68
Instruction Fuzzy Hash: F5918572A186C587E7A4AE1AC4C8B3E7EA9FF44350FD1413EDA4A56780CF38E540CB10

Function 00007FF7D43CDEF0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF7D43CDFFD
gfff, xrefs: 00007FF7D43CE07A

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction ID: 9883a34564afb8a0c9676923a8c6d83af3b67fd858d21972ceb59c8d426add63
Opcode Fuzzy Hash: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction Fuzzy Hash: A7516622B182D546E7309E3BD88176DAB91F744B94FC8823ADB9847AC1CE3DD0408710

Function 00007FF7D43CDA5C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF7D43CDD9E

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: 360b0b1eb9f6edbcaa3296cdcdc3c4a5f7e7c020053c55b89861834ec13baece
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: D3A14762A087C586EB31DF2BE4807AEBB91AB50B84F858136EE4D577C5DE3DE401C711

Function 00007FF7D43C8794 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF7D43C87B3

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction ID: 2e2516d75816830c76d13e2aaed2cbf44646d52ea21bf3ab428bea29abba88d9
Opcode Fuzzy Hash: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction Fuzzy Hash: DD51AD11B0874642FA78BE2FD98117ED2916F44BD5FC8453EDE8E67B96EE3CE5024220

Function 00007FF7D43D3480 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7D43D3484

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction ID: 67a574e4156815d71d6473cb903ca5fa735c5937c75b8785dba9e0bd9593e114
Opcode Fuzzy Hash: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction Fuzzy Hash: B7B09220E07A02D2EE083F6AECC221C62A47F48710FD8017EC00C60330DE3C20F59720

Function 00007FF7D43C35A0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction ID: 4fd976417abd4d687d2bb6e4c5d5834c65528bde878e7a1b5c488435335b7751
Opcode Fuzzy Hash: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction Fuzzy Hash: 82D1A162A0864285FB7CAE2EC4D027DA6A0EB05B48FD4423ECE4D27795DF39E855C760

Function 00007FF7D43B9800 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction ID: bd5a76584aff85c9e4728dfed252964cdb629ef1dfa6bc73b713fbd4e6e45e88
Opcode Fuzzy Hash: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction Fuzzy Hash: 0FC18F762181E08BD28AEB29E4B947A77E1F78930DBD5406BEF8747785C63CE414DB20

Function 00007FF7D43C2C10 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction ID: def7fba1cf65835cdef6380eef74938b3f859a8aa050194c8ede8663e07c8c4e
Opcode Fuzzy Hash: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction Fuzzy Hash: D1B17C72908B8586E774AF3EC09423CBBA0E749B48FE8413ACA4E67395CF39D441C764

Function 00007FF7D43CE570 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction ID: c9662e37fc4bd794a29c89542f7ca730aa8084eed3d6095079692645881c2da6
Opcode Fuzzy Hash: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction Fuzzy Hash: 1281D272A1878146E774EF1ED48236EBA91FB45794FD0423ADA8D53B89DF3CE4808B10

Function 00007FF7D43D6418 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 403f67b08c5d8b9127b9d27d37b93e2a1e0a746a19683c5483168a42cc689f1f
Instruction ID: 8a162424da4c4e3d59aa44e426952063bc19655688cac3cb85838e8138a9ddad
Opcode Fuzzy Hash: 403f67b08c5d8b9127b9d27d37b93e2a1e0a746a19683c5483168a42cc689f1f
Instruction Fuzzy Hash: 3261D432E0825246FF74AE6ED49063DE691AF50760FDC423FD62D62AC5DF6DE8508B20

Function 00007FF7D43C1D54 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: da5581d64c3f03b3fd571517d4cae87b7db3706b16c3e70ccf2e6d465dd166bd
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: C7518436A1865182EB349F2EC08423CB7A1EB45B58FA4413ADA4D677D4CF3AE853DB50

Function 00007FF7D43C2164 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: f2bf67178f09f5f9f21f24f0cb5148fc176c6501ad88ed15200e001708028d37
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 1B519536E1865186E7749F2EC48423CB3A1EB54B58FA8413ACE5D27794CF3AE843C750

Function 00007FF7D43C1944 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: 2a5ef6a9b19a74209e821428cfd97d7a714fa08cd8f6bba40a95b15e18ec5b84
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: F8518C76A1465185EB349F1EC09023C77A0EB45B68FE44136CE8D27798DF3AE853DB90

Function 00007FF7D43C1F60 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 5ee2eb2b20541275b8ede8b892b435ef6b6c0bf4c32b6747c98b8e7e57f56c48
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 66517236A1865185EB349F2EC08023CB7A0EB44B58FE8413BCE4D27795CB3AE843DB50

Function 00007FF7D43C1740 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: 3366ce964ead1717488ddacb50abe5466c148f129bb7e38744d7d30df4107c15
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: 5F517536A1865186EB749F2EC08023DA7A1EB45B58FE44136CE4D27794CF3AE853DB90

Function 00007FF7D43C1B50 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 3c538cc1e3932f93e319e8c8bda333ad32ce4f5da3ddb3d81ab3f088fe2ff8dd
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: DE51A636A1865185EB349F2EC09423C77A1EB44B58FE88136DA4D27794DF3AE843DF50

Function 00007FF7D43C5D30 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 92c63139ecbf67326640c80b620ec550672a3e22e0eff0c5c658a1512d0f3060
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: CC41C66280E7AA45E9B99D2E854C6BCB7819F227A0DD813BEDD9D373C3CD0D7586C120

Function 00007FF7D43C9EA0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction ID: 4e2d8a6654d02ff82dddfd5837e2f9bd8d9f9f81cb7c644f29c5bca6c031889c
Opcode Fuzzy Hash: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction Fuzzy Hash: 8F41E422715A5582EF14DF2FD95526DA391BB48FD0B89903BDE0DA7B58DE3CC4418300

Function 00007FF7D43C80E4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction ID: 3d7663eaf69d9c39335e4702fe08e378f1c751e6ae08b4db3c2f6ecf35a269e2
Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction Fuzzy Hash: 2331E532718B4242E768AF2AE48013DA6D4AB84BD0FD4423EEA9D63BD5DF3CD1018714

Function 00007FF7D43D9570 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction ID: 784dab159fbfde3883c7d4b64617146c45da6e59141400518e2a318176808ccf
Opcode Fuzzy Hash: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction Fuzzy Hash: 81F044717182958ADB98DF6DE44262D77D0F7083C0FC0807ED58983A04DA3C90518F14

Function 00007FF7D43BD30C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction ID: 3628c27521c2b2cfd7f1930d67fa75e21fff872a1226c5cb623a48b14c65b531
Opcode Fuzzy Hash: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction Fuzzy Hash: E3A00122D0C94AD0EA44AF0AE8D012DA620BB55310BC4003AE00D610A19F3CA404D220

Function 00007FF7D43B5830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF7D43B64CF,?,00007FF7D43B336E), ref: 00007FF7D43B5840
GetLastError.KERNEL32(?,00007FF7D43B64CF,?,00007FF7D43B336E), ref: 00007FF7D43B5852
GetProcAddress.KERNEL32(?,00007FF7D43B64CF,?,00007FF7D43B336E), ref: 00007FF7D43B5889
GetLastError.KERNEL32(?,00007FF7D43B64CF,?,00007FF7D43B336E), ref: 00007FF7D43B589B
GetProcAddress.KERNEL32(?,00007FF7D43B64CF,?,00007FF7D43B336E), ref: 00007FF7D43B58B4
GetLastError.KERNEL32(?,00007FF7D43B64CF,?,00007FF7D43B336E), ref: 00007FF7D43B58C6
GetProcAddress.KERNEL32(?,00007FF7D43B64CF,?,00007FF7D43B336E), ref: 00007FF7D43B58DF
GetLastError.KERNEL32(?,00007FF7D43B64CF,?,00007FF7D43B336E), ref: 00007FF7D43B58F1
GetProcAddress.KERNEL32(?,00007FF7D43B64CF,?,00007FF7D43B336E), ref: 00007FF7D43B590D
GetLastError.KERNEL32(?,00007FF7D43B64CF,?,00007FF7D43B336E), ref: 00007FF7D43B591F
GetProcAddress.KERNEL32(?,00007FF7D43B64CF,?,00007FF7D43B336E), ref: 00007FF7D43B593B
GetLastError.KERNEL32(?,00007FF7D43B64CF,?,00007FF7D43B336E), ref: 00007FF7D43B594D
GetProcAddress.KERNEL32(?,00007FF7D43B64CF,?,00007FF7D43B336E), ref: 00007FF7D43B5969
GetLastError.KERNEL32(?,00007FF7D43B64CF,?,00007FF7D43B336E), ref: 00007FF7D43B597B
GetProcAddress.KERNEL32(?,00007FF7D43B64CF,?,00007FF7D43B336E), ref: 00007FF7D43B5997
GetLastError.KERNEL32(?,00007FF7D43B64CF,?,00007FF7D43B336E), ref: 00007FF7D43B59A9
GetProcAddress.KERNEL32(?,00007FF7D43B64CF,?,00007FF7D43B336E), ref: 00007FF7D43B59C5
GetLastError.KERNEL32(?,00007FF7D43B64CF,?,00007FF7D43B336E), ref: 00007FF7D43B59D7

Strings

Py_InitializeFromConfig, xrefs: 00007FF7D43B5903, 00007FF7D43B5925
PyRun_SimpleStringFlags, xrefs: 00007FF7D43B5E0B, 00007FF7D43B5E2D
Failed to get address for %hs, xrefs: 00007FF7D43B5861
PyObject_SetAttrString, xrefs: 00007FF7D43B5D81, 00007FF7D43B5DA3
PyConfig_SetString, xrefs: 00007FF7D43B5A45, 00007FF7D43B5A67
PyImport_AddModule, xrefs: 00007FF7D43B5BE3, 00007FF7D43B5C05
PyModule_GetDict, xrefs: 00007FF7D43B5CC9, 00007FF7D43B5CEB
PyUnicode_DecodeFSDefault, xrefs: 00007FF7D43B5F1F, 00007FF7D43B5F41
PySys_SetObject, xrefs: 00007FF7D43B5E95, 00007FF7D43B5EB7
PyConfig_SetBytesString, xrefs: 00007FF7D43B5A17, 00007FF7D43B5A39
PyMem_RawFree, xrefs: 00007FF7D43B5C9B, 00007FF7D43B5CBD
Py_ExitStatusException, xrefs: 00007FF7D43B58AA, 00007FF7D43B58CC
PyConfig_SetWideStringList, xrefs: 00007FF7D43B5A73, 00007FF7D43B5A95
PyEval_EvalCode, xrefs: 00007FF7D43B5BB5, 00007FF7D43B5BD7
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF7D43B5DDD, 00007FF7D43B5DFF
PyConfig_InitIsolatedConfig, xrefs: 00007FF7D43B59BB, 00007FF7D43B59DD
Py_PreInitialize, xrefs: 00007FF7D43B595F, 00007FF7D43B5981
PyImport_ImportModule, xrefs: 00007FF7D43B5C3F, 00007FF7D43B5C61
Py_DecRef, xrefs: 00007FF7D43B5836, 00007FF7D43B5858
PyObject_GetAttrString, xrefs: 00007FF7D43B5D53, 00007FF7D43B5D75
PyErr_NormalizeException, xrefs: 00007FF7D43B5AFD, 00007FF7D43B5B1F
PyErr_Restore, xrefs: 00007FF7D43B5B87, 00007FF7D43B5BA9
PyUnicode_Replace, xrefs: 00007FF7D43B5FD7, 00007FF7D43B5FF9
PyObject_Str, xrefs: 00007FF7D43B5DAF, 00007FF7D43B5DD1
PyErr_Fetch, xrefs: 00007FF7D43B5ACF, 00007FF7D43B5AF1
PyErr_Print, xrefs: 00007FF7D43B5B59, 00007FF7D43B5B7B
PyUnicode_FromFormat, xrefs: 00007FF7D43B5F4D, 00007FF7D43B5F6F
GetProcAddress, xrefs: 00007FF7D43B5868
Py_IsInitialized, xrefs: 00007FF7D43B5931, 00007FF7D43B5953
PyErr_Clear, xrefs: 00007FF7D43B5AA1, 00007FF7D43B5AC3
PyUnicode_Decode, xrefs: 00007FF7D43B5EF1, 00007FF7D43B5F13
Py_DecodeLocale, xrefs: 00007FF7D43B587F, 00007FF7D43B58A1
Py_Finalize, xrefs: 00007FF7D43B58D5, 00007FF7D43B58F7
PyErr_Occurred, xrefs: 00007FF7D43B5B2B, 00007FF7D43B5B4D
PyUnicode_Join, xrefs: 00007FF7D43B5FA9, 00007FF7D43B5FCB
PyConfig_Clear, xrefs: 00007FF7D43B598D, 00007FF7D43B59AF
PyImport_ExecCodeModule, xrefs: 00007FF7D43B5C11, 00007FF7D43B5C33
PyStatus_Exception, xrefs: 00007FF7D43B5E39, 00007FF7D43B5E5B
PySys_GetObject, xrefs: 00007FF7D43B5E67, 00007FF7D43B5E89
PyObject_CallFunction, xrefs: 00007FF7D43B5CF7, 00007FF7D43B5D19
PyUnicode_FromString, xrefs: 00007FF7D43B5F7B, 00007FF7D43B5F9D
PyMarshal_ReadObjectFromString, xrefs: 00007FF7D43B5C6D, 00007FF7D43B5C8F
PyUnicode_AsUTF8, xrefs: 00007FF7D43B5EC3, 00007FF7D43B5EE5
PyConfig_Read, xrefs: 00007FF7D43B59E9, 00007FF7D43B5A0B
PyObject_CallFunctionObjArgs, xrefs: 00007FF7D43B5D25, 00007FF7D43B5D47

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction ID: b6df615f5a4d0460b75ec6f743c927de279141c6e3b1bb1618669477b83cfcfd
Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction Fuzzy Hash: A8229764A59B0791FE15FF5FF8D46BCB2A0AF14795BC8543FC85E22260EF3CA5488620

Function 00007FF7D43B81D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D43B9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7D43B45F4,00000000,00007FF7D43B1985), ref: 00007FF7D43B93C9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF7D43B86B7,?,?,00000000,00007FF7D43B3CBB), ref: 00007FF7D43B822C

Part of subcall function 00007FF7D43B2810: MessageBoxW.USER32 ref: 00007FF7D43B28EA

Strings

LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF7D43B8373
\, xrefs: 00007FF7D43B8261
CreateDirectory, xrefs: 00007FF7D43B837C
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF7D43B8203
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF7D43B8240
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF7D43B829D
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7D43B82D9
%.*s, xrefs: 00007FF7D43B830C

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction ID: a9e3e13bd09c1a96c8feef85c5d709b09764e0570afbdf9b019c1c0e1b6e68ae
Opcode Fuzzy Hash: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction Fuzzy Hash: 8D51A211A18A8281FA64BF2FD8D53BDF650AF84780FC4443FDA4E666D5EF2CE4058720

Function 00007FF7D43B2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF7D43B21AB
SelectObject.GDI32 ref: 00007FF7D43B21F2
DrawTextW.USER32 ref: 00007FF7D43B2215
SelectObject.GDI32 ref: 00007FF7D43B222B
ReleaseDC.USER32 ref: 00007FF7D43B223B
MoveWindow.USER32 ref: 00007FF7D43B228B
MoveWindow.USER32 ref: 00007FF7D43B22CB
MoveWindow.USER32 ref: 00007FF7D43B231E
MoveWindow.USER32 ref: 00007FF7D43B2366

Strings

P%, xrefs: 00007FF7D43B21FF

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 19922fc50b8fe5b7e3ba6936017e502a2afec3f635323a1ca6e67e3e8bcca710
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 5951E626604BA186DA349F26E4582BEF7A1F798B61F404126EFDE43794DF3CD045DB20

Function 00007FF7D43B80C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF7D43B80FF
GetWindowLongPtrW.USER32 ref: 00007FF7D43B817F
ShutdownBlockReasonCreate.USER32 ref: 00007FF7D43B8192
GetLastError.KERNEL32 ref: 00007FF7D43B819C
SetWindowLongPtrW.USER32 ref: 00007FF7D43B81B3

Strings

Needs to remove its temporary files., xrefs: 00007FF7D43B8185

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction ID: 40ccbaf79d0a1306a0facecf860acbf957bf75e5b192450d8fd3d05a27f65373
Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction Fuzzy Hash: 80217921B09A4282EB45AF7FE88427DA650EF48BA0FDC413ADA6D53394DF2CD5514220

Function 00007FF7D43C6290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C62D3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C66C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C695C

Strings

p, xrefs: 00007FF7D43C6385
p, xrefs: 00007FF7D43C63FD
-, xrefs: 00007FF7D43C6369
f, xrefs: 00007FF7D43C63F5
:, xrefs: 00007FF7D43C648C

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 1fde2ed8748679b2553f916e00f109d7ffa0b8cdc970ec5d93e9f568ace41f63
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 92127F61E0C24386FB30BE1AD19467DF6A1EB90750FDC413BE699666C4DF3CE5A08B21

Function 00007FF7D43C0FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C1008
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C13D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C166F

Strings

f, xrefs: 00007FF7D43C10A0
p, xrefs: 00007FF7D43C10AD
f, xrefs: 00007FF7D43C110A
f, xrefs: 00007FF7D43C1255
p, xrefs: 00007FF7D43C1112

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: e0e8c628be4b75011547a35d256e960c76abbc111bd6f4453414004af5fac7a2
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 96126062E1C14386FF70AE1AE0942BDF6A1FB40754FD4403AD69A56AC4DB7CE484AF60

Function 00007FF7D43B1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

malloc, xrefs: 00007FF7D43B110F
fseek, xrefs: 00007FF7D43B10D3
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7D43B1108
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7D43B11F6
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7D43B1098
fread, xrefs: 00007FF7D43B11FD
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7D43B10CC

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: b03d503c12a995e4bd40f1baef8a2a79023c9dc40e68246a7afc35f48a6c8d9a
Instruction ID: 4cab4d0f581cc574d64d8e5aeac4927500355933ea71df8ab0db5c785d093a54
Opcode Fuzzy Hash: b03d503c12a995e4bd40f1baef8a2a79023c9dc40e68246a7afc35f48a6c8d9a
Instruction Fuzzy Hash: 32416821A1869282EE10FF1BE8816BDB7A0AF44BD4FC4443BED5C67796DE3CE5018760

Function 00007FF7D43B1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

malloc, xrefs: 00007FF7D43B151F
fseek, xrefs: 00007FF7D43B14E5
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7D43B1518
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7D43B15DF
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7D43B149F
fread, xrefs: 00007FF7D43B15E6
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7D43B14DE

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 77413628c8c21f4fd853609fe52f6dcab87eca3a04fb5f868116e23545f235ca
Instruction ID: dc89ebf44c6970b862194ff76bac970682eb25d7dcc65b0d4d58dde868ff8b6a
Opcode Fuzzy Hash: 77413628c8c21f4fd853609fe52f6dcab87eca3a04fb5f868116e23545f235ca
Instruction Fuzzy Hash: 48416021B0868296EE10EF2BD4816BDF790AF44794FC4853BED5D27B99DE3CE5018B24

Function 00007FF7D43BEA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF7D43BEA65

Part of subcall function 00007FF7D43BF9BC: __GetUnwindTryBlock.LIBCMT ref: 00007FF7D43BF9FF
Part of subcall function 00007FF7D43BF9BC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF7D43BFA24

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7D43BEB3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF7D43BED8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7D43BEE98

Strings

csm, xrefs: 00007FF7D43BEB60
csm, xrefs: 00007FF7D43BEA7F
csm, xrefs: 00007FF7D43BEAE6

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction ID: 58153e639a2bbfa0e453cdfefc0e477a0f16f2de63a2a14abd279dae463b106a
Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction Fuzzy Hash: 1FD160229087418AEB20EF6ED4823ADBBA0FB45798FD0413AEE4D67795DF38E440C751

Function 00007FF7D43B2C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7D43B3706,?,00007FF7D43B3804), ref: 00007FF7D43B2C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7D43B3706,?,00007FF7D43B3804), ref: 00007FF7D43B2D63
MessageBoxW.USER32 ref: 00007FF7D43B2D99

Strings

Error, xrefs: 00007FF7D43B2D8C
%ls: , xrefs: 00007FF7D43B2D22
<FormatMessageW failed.>, xrefs: 00007FF7D43B2D70
[PYI-%d:ERROR] , xrefs: 00007FF7D43B2CA6

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction ID: 0b25667f8b7dcc82f444a46e0d2ff6d50ebbdef80c05e588e9596dc09f51833e
Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction Fuzzy Hash: D731A722B04A4142E620BF1AE8942AEB695BF84794FC1013BEF5D63799DF3CD546C710

Function 00007FF7D43BDCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF7D43BDF7A,?,?,?,00007FF7D43BDC6C,?,?,?,00007FF7D43BD869), ref: 00007FF7D43BDD4D
GetLastError.KERNEL32(?,?,?,00007FF7D43BDF7A,?,?,?,00007FF7D43BDC6C,?,?,?,00007FF7D43BD869), ref: 00007FF7D43BDD5B
LoadLibraryExW.KERNEL32(?,?,?,00007FF7D43BDF7A,?,?,?,00007FF7D43BDC6C,?,?,?,00007FF7D43BD869), ref: 00007FF7D43BDD85
FreeLibrary.KERNEL32(?,?,?,00007FF7D43BDF7A,?,?,?,00007FF7D43BDC6C,?,?,?,00007FF7D43BD869), ref: 00007FF7D43BDDF3
GetProcAddress.KERNEL32(?,?,?,00007FF7D43BDF7A,?,?,?,00007FF7D43BDC6C,?,?,?,00007FF7D43BD869), ref: 00007FF7D43BDDFF

Strings

api-ms-, xrefs: 00007FF7D43BDD6D

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction ID: 6543a09db0d9b57ece008b9c5f59d26d7fc390bde6e202c34eaeb0de5d408d42
Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction Fuzzy Hash: 99319221B1AA8291EE11AF0BD4807ADB794FF48BA4FD9453EDD5D26384EF3CE4458220

Function 00007FF7D43B6360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

LoadLibrary, xrefs: 00007FF7D43B64AE
ucrtbase.dll, xrefs: 00007FF7D43B63DD
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF7D43B6456
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF7D43B6407
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF7D43B63C7
Failed to load Python DLL '%ls'., xrefs: 00007FF7D43B64A7

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: bd35b640c02035bc0e077a05b147b005ab0e639f37cafda848bc65a29b3ec2f1
Instruction ID: 4980c3ae8c1dface8318fa395133210b6a369ad0ec51ea86e8da67645f78fae6
Opcode Fuzzy Hash: bd35b640c02035bc0e077a05b147b005ab0e639f37cafda848bc65a29b3ec2f1
Instruction Fuzzy Hash: 4941C121A18A8691EA21FF2AE4953EDB711FF44380FD4013BDA5C63296EF3CE615C760

Function 00007FF7D43B2A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF7D43B351A,?,00000000,00007FF7D43B3F23), ref: 00007FF7D43B2AA0

Strings

Warning [ANSI Fallback], xrefs: 00007FF7D43B2B0F
0, xrefs: 00007FF7D43B2B16
Warning, xrefs: 00007FF7D43B2B1E
[PYI-%d:%s] , xrefs: 00007FF7D43B2AA8
WARNING, xrefs: 00007FF7D43B2AAF

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction ID: 16e9a9f3604cb28d0727780d287f29d385c7bb03d8627b6c016ae9f5535f0de0
Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction Fuzzy Hash: 1E219132A1978142E620AF5AF4817EAB794BB883D0FC0013AEE8C63659DF7CD1458650

Function 00007FF7D43CB150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7D43CB15F
FlsGetValue.KERNEL32 ref: 00007FF7D43CB174
FlsSetValue.KERNEL32 ref: 00007FF7D43CB195
FlsSetValue.KERNEL32 ref: 00007FF7D43CB1C2
FlsSetValue.KERNEL32 ref: 00007FF7D43CB1D3
FlsSetValue.KERNEL32 ref: 00007FF7D43CB1E4
SetLastError.KERNEL32 ref: 00007FF7D43CB1FF

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction ID: 938ad649d1d427cb4ed3dca14354c7948d38d6c8004f9ee0725adb9da25836a5
Opcode Fuzzy Hash: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction Fuzzy Hash: A8213020A0D25282F9747F6BE9D613DD2525F44BB0FC4473ED93E666CADE2CA4508321

Function 00007FF7D43D7D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7D43D7D9D
GetLastError.KERNEL32 ref: 00007FF7D43D7DA9
CloseHandle.KERNEL32 ref: 00007FF7D43D7DC1
CreateFileW.KERNEL32 ref: 00007FF7D43D7DEC
WriteConsoleW.KERNEL32 ref: 00007FF7D43D7E0B

Strings

CONOUT$, xrefs: 00007FF7D43D7DCD

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction ID: dfa90c1147b4d11e9bcbade96c347cda9839931ae4960ae6e076524e139af5ce
Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction Fuzzy Hash: BF11B421A18A4582EB50AF1BE88532DE2A0FB88FF4FC40239ED5D97794CF3CD4048714

Function 00007FF7D43B8ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF7D43B3FB1), ref: 00007FF7D43B8EFD
K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF7D43B3FB1), ref: 00007FF7D43B8F5A

Part of subcall function 00007FF7D43B9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7D43B45F4,00000000,00007FF7D43B1985), ref: 00007FF7D43B93C9

K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF7D43B3FB1), ref: 00007FF7D43B8FE5
K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF7D43B3FB1), ref: 00007FF7D43B9044
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF7D43B3FB1), ref: 00007FF7D43B9055
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF7D43B3FB1), ref: 00007FF7D43B906A

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
Instruction ID: 836282e1252fb0950bdb1568a5c63346aee614c77ecdbbd15be1f946cc3206ec
Opcode Fuzzy Hash: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
Instruction Fuzzy Hash: 4C416461A19A8281EA30AF1BE5803AEB794FF85B94FC4413ADF5D67789DE3CD501C720

Function 00007FF7D43CB2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7D43C4F11,?,?,?,?,00007FF7D43CA48A,?,?,?,?,00007FF7D43C718F), ref: 00007FF7D43CB2D7
FlsSetValue.KERNEL32(?,?,?,00007FF7D43C4F11,?,?,?,?,00007FF7D43CA48A,?,?,?,?,00007FF7D43C718F), ref: 00007FF7D43CB30D
FlsSetValue.KERNEL32(?,?,?,00007FF7D43C4F11,?,?,?,?,00007FF7D43CA48A,?,?,?,?,00007FF7D43C718F), ref: 00007FF7D43CB33A
FlsSetValue.KERNEL32(?,?,?,00007FF7D43C4F11,?,?,?,?,00007FF7D43CA48A,?,?,?,?,00007FF7D43C718F), ref: 00007FF7D43CB34B
FlsSetValue.KERNEL32(?,?,?,00007FF7D43C4F11,?,?,?,?,00007FF7D43CA48A,?,?,?,?,00007FF7D43C718F), ref: 00007FF7D43CB35C
SetLastError.KERNEL32(?,?,?,00007FF7D43C4F11,?,?,?,?,00007FF7D43CA48A,?,?,?,?,00007FF7D43C718F), ref: 00007FF7D43CB377

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction ID: 5186cc4b993631787eddd799d2bbada9ee685232b39111384aa883c5c52e1cf1
Opcode Fuzzy Hash: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction Fuzzy Hash: C4116D20A0D64282FA647F6BE6C113DD1429F44BB0FC4473EDD3E666D6DE2CA4514721

Function 00007FF7D43B2910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7D43B1B6A), ref: 00007FF7D43B295E

Strings

Error, xrefs: 00007FF7D43B2A0E
[PYI-%d:ERROR] , xrefs: 00007FF7D43B2966
%s: %s, xrefs: 00007FF7D43B29E8
Error [ANSI Fallback], xrefs: 00007FF7D43B29FF

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction ID: 739be98eec1c221dd8dfa3be6bd35529a5592d4509e0c778665aede1f8742342
Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction Fuzzy Hash: 5931E922B1868152EB20BF5AE8802EAB694BF847D4FC0013BEE8DA3755DF7CD546C610

Function 00007FF7D43B2390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7D43B23C8
DialogBoxIndirectParamW.USER32 ref: 00007FF7D43B248E
DeleteObject.GDI32 ref: 00007FF7D43B24C1
DestroyIcon.USER32 ref: 00007FF7D43B24D3

Strings

Unhandled exception in script, xrefs: 00007FF7D43B23F8

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction ID: 0d63ea3505fac75524a38ee8847d34243dc0ba55c8ed90a2cb685b5fb4e1ce93
Opcode Fuzzy Hash: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction Fuzzy Hash: B3314072619A8285EB20EF2AE8952FDA360FF88794FC4013AEA4D57B59DF3CD105C710

Function 00007FF7D43B2B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF7D43B918F,?,00007FF7D43B3C55), ref: 00007FF7D43B2BA0
MessageBoxW.USER32 ref: 00007FF7D43B2C2A

Strings

WARNING, xrefs: 00007FF7D43B2BAF
Warning, xrefs: 00007FF7D43B2C1D
[PYI-%d:%ls] , xrefs: 00007FF7D43B2BA8

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction ID: 9c95acec2f5961c2e3597d941145b65a306a766c3b15d7ba3cba613fccb3df99
Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction Fuzzy Hash: 3C21A362708B4142E720AF1AF8857AEB7A4FB88780FC0413AEE8D67659DF3CD605C750

Function 00007FF7D43B2710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF7D43B1B99), ref: 00007FF7D43B2760

Strings

ERROR, xrefs: 00007FF7D43B276F
Error, xrefs: 00007FF7D43B27DE
[PYI-%d:%s] , xrefs: 00007FF7D43B2768
Error [ANSI Fallback], xrefs: 00007FF7D43B27CF

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction ID: 34bb2d156389540f4a4614392f584f5cd3a9525c6955699f17afc63c3cc0fff5
Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction Fuzzy Hash: 99219132A1878142E620AF5AF4817EAB794EB883D0FC0013AEE8D63659DF7CD1458750

Function 00007FF7D43C9A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7D43C9AAD
GetProcAddress.KERNEL32 ref: 00007FF7D43C9AC3
FreeLibrary.KERNEL32 ref: 00007FF7D43C9AEA

Strings

mscoree.dll, xrefs: 00007FF7D43C9AA4
CorExitProcess, xrefs: 00007FF7D43C9ABC

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction ID: 04623c583e93e0786a51a8f9065fa4404f05035f11c68e2386bf42518bd91592
Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction Fuzzy Hash: 9AF04F25A0970681FE20AF2AE4C477EA320AF49771FD8023ED66E561E8DF6CD045C720

Function 00007FF7D43D9368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7D43D9390
_set_statfp.LIBCMT ref: 00007FF7D43D93AB
_set_statfp.LIBCMT ref: 00007FF7D43D93C7
_set_statfp.LIBCMT ref: 00007FF7D43D9403

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 46b18775137350132b82039181737384660d6bbe870a1e2cc2687ba76810b44a
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 55116022E58A0201FF643D6FE4D137D9250AF59374EDD063EFA6E362E6CF6C68414120

Function 00007FF7D43CB390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7D43CA5A3,?,?,00000000,00007FF7D43CA83E,?,?,?,?,?,00007FF7D43CA7CA), ref: 00007FF7D43CB3AF
FlsSetValue.KERNEL32(?,?,?,00007FF7D43CA5A3,?,?,00000000,00007FF7D43CA83E,?,?,?,?,?,00007FF7D43CA7CA), ref: 00007FF7D43CB3CE
FlsSetValue.KERNEL32(?,?,?,00007FF7D43CA5A3,?,?,00000000,00007FF7D43CA83E,?,?,?,?,?,00007FF7D43CA7CA), ref: 00007FF7D43CB3F6
FlsSetValue.KERNEL32(?,?,?,00007FF7D43CA5A3,?,?,00000000,00007FF7D43CA83E,?,?,?,?,?,00007FF7D43CA7CA), ref: 00007FF7D43CB407
FlsSetValue.KERNEL32(?,?,?,00007FF7D43CA5A3,?,?,00000000,00007FF7D43CA83E,?,?,?,?,?,00007FF7D43CA7CA), ref: 00007FF7D43CB418

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction ID: 9167a277d3228ac9d74b883c34bd7a3bdc506a9d08d93f528ffc6948e0a83023
Opcode Fuzzy Hash: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction Fuzzy Hash: E7112C20A0D64281FA78BB6FE5D227DA1415F447A0FD8433EEE3D666D6DE2CA4518321

Function 00007FF7D43CB224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF7D43CB235
FlsSetValue.KERNEL32 ref: 00007FF7D43CB254
FlsSetValue.KERNEL32 ref: 00007FF7D43CB27C
FlsSetValue.KERNEL32 ref: 00007FF7D43CB28D
FlsSetValue.KERNEL32 ref: 00007FF7D43CB29E

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction ID: 7418326ae772c543ef4a159c81b3aa93f508fe48c610ed6ebaf3390d524355de
Opcode Fuzzy Hash: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction Fuzzy Hash: 1811D620A0920782F9787AAFE8D227E91424F45771FD4473ED93E6A6D2DD2DB4518331

Function 00007FF7D43C5FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C5FDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C6106
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C61BC

Strings

verbose, xrefs: 00007FF7D43C5FB0

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: fc87cd4b823c45a63f5f5199e4f8d842b5a46de5ab146a674cb6c3f33a651ceb
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 7891D432A0C64681F771AE2AD49077DB7A1AB40B54FC8413BDA5E633D6DF3DE4258321

Function 00007FF7D43CFBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43CFEA7

Part of subcall function 00007FF7D43C7A3C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C7A59

Strings

UTF-8, xrefs: 00007FF7D43CFE26
UTF-16LEUNICODE, xrefs: 00007FF7D43CFE45
ccs, xrefs: 00007FF7D43CFDE2

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction ID: 0917a07a5f7e458cb2c340ba8cd06f90999b37e0dafc37095559395d4954fcf0
Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction Fuzzy Hash: C9817D72E08242C5E775BE2FC1D427DA6A1AB11B48FD5803BCA09B72D9DF2DE9019261

Function 00007FF7D43BD648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7D43BD673
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7D43BD70A
RtlUnwindEx.KERNEL32 ref: 00007FF7D43BD764

Strings

csm, xrefs: 00007FF7D43BD6F1

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction ID: b1e9a5bfc300050b92f78c8e4f4fd9a5717fd254230ed025f32790e3f23c75cb
Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction Fuzzy Hash: 7A519136B196828ADB14AF1AD48477CBB91EB44B98FD0413ADE8D57744DF7CE841C710

Function 00007FF7D43BEED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7D43BEF37
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7D43BEF83

Strings

RCC, xrefs: 00007FF7D43BEF53
MOC, xrefs: 00007FF7D43BEF4B

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction ID: 8b74498e626fefff62d3bf296652a6d695c609e49154739e2a073e481c573640
Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction Fuzzy Hash: 3161A332908BC585DB60AF1AE4813AEFBA0FB84784F84562AEB9D53755CF7CD190CB10

Function 00007FF7D43BF288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7D43BF2B0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF7D43BF398

Strings

csm, xrefs: 00007FF7D43BF2D2
csm, xrefs: 00007FF7D43BF3EA

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction ID: fc2163bccd4ac79b19c4e42e4d33d58114b35d8f9ab10b0bcd3420563f5a62eb
Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction Fuzzy Hash: E35163326087428AEB64AE2BD08436CBB90EB55B94FD4613BDA4D97B95CF3CE450C711

Function 00007FF7D43B2810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF7D43B28EA

Strings

Error, xrefs: 00007FF7D43B28DD
ERROR, xrefs: 00007FF7D43B286F
[PYI-%d:%ls] , xrefs: 00007FF7D43B2868

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction ID: 16659cdd8082adea1fabb96b171c832034aa4aabd87662b6bfc3d6ff91bb4c48
Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction Fuzzy Hash: 9C219162B08B4181E720AF5AF4857AEB7A4EB88780FC4413AEA8D63659DF3CD645C750

Function 00007FF7D43CC5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7D43CC61F
WriteFile.KERNEL32 ref: 00007FF7D43CC8E7
WriteFile.KERNEL32 ref: 00007FF7D43CC92D
GetLastError.KERNEL32 ref: 00007FF7D43CC9E3

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction ID: 2f57006a0b500a10ff1b2df4e1c928653548a4b49e7b0898cad29fc126e82174
Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction Fuzzy Hash: EED11772B18A4189E720DF6ED4802ACB7B1FB55798BC4423ADE5DA7B89DE38D406C710

Function 00007FF7D43B20C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF7D43B20F4
SetWindowLongPtrW.USER32 ref: 00007FF7D43B2116
GetWindowLongPtrW.USER32 ref: 00007FF7D43B2140
InvalidateRect.USER32 ref: 00007FF7D43B2160

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 6abb7fc618befcdf9a664ccc31ce0b09b558420d7d086caa4fec0bd2177a329c
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 0A11EC21E0C54242FA54AFAFE5C83BDA651EB84790FD8413ADB5917B89CD2DD5818210

Function 00007FF7D43D5B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D43D1760: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D1793

_get_daylight.LIBCMT ref: 00007FF7D43D5C34
_get_daylight.LIBCMT ref: 00007FF7D43D5C45

Strings

?, xrefs: 00007FF7D43D5BC5

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction ID: 604cbb5fa5ade9c9b177765d7e931df8b061560fbb12648b8624e7c1101254fe
Opcode Fuzzy Hash: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction Fuzzy Hash: D741E712A0838246FF65AF2BD48137DA691EF80BA4FD8423AEE5D17AD5DF7CD4418B10

Function 00007FF7D43C9014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C9046

Part of subcall function 00007FF7D43CA948: RtlFreeHeap.NTDLL(?,?,?,00007FF7D43D2D22,?,?,?,00007FF7D43D2D5F,?,?,00000000,00007FF7D43D3225,?,?,?,00007FF7D43D3157), ref: 00007FF7D43CA95E
Part of subcall function 00007FF7D43CA948: GetLastError.KERNEL32(?,?,?,00007FF7D43D2D22,?,?,?,00007FF7D43D2D5F,?,?,00000000,00007FF7D43D3225,?,?,?,00007FF7D43D3157), ref: 00007FF7D43CA968

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7D43BCBA5), ref: 00007FF7D43C9064

Strings

C:\Users\user\Desktop\check.exe, xrefs: 00007FF7D43C9052

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\check.exe
API String ID: 3580290477-2323564134
Opcode ID: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction ID: b732c424f95d65c42a4ec96b1b2b93b1d9a583a1001b335fedd435a1b8a628f1
Opcode Fuzzy Hash: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction Fuzzy Hash: A4415432A08B5286EB25FF2AD4C11BDA794EF447D4BD6403BE94D63B85DE3DE4458320

Function 00007FF7D43CCC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7D43CCD4F
GetLastError.KERNEL32 ref: 00007FF7D43CCD71

Strings

U, xrefs: 00007FF7D43CCCFB

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction ID: ed337c10a9260628043373c1d6ed3d4366b0e759e818e6500773321110bdafa7
Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction Fuzzy Hash: B0419332618A4181DB60AF2AE4843ADA7A1FB88794FD4413AEE4D97798DF3CD401CB50

Function 00007FF7D43CF5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF7D43CF5F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7D43CF64A

Strings

:, xrefs: 00007FF7D43CF60E

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction ID: 7effb4273dc702b65dd1892bbd8c6db247535ed10d4ff8193a389e4ea01fe9f3
Opcode Fuzzy Hash: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction Fuzzy Hash: 03219362A0868181FB30AF1AD08426DA3A1FB88B44FC6413FDA4D636D4DF7CE955CB61

Function 00007FF7D43BFD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF7D43BFD98
RaiseException.KERNEL32 ref: 00007FF7D43BFDD9

Strings

csm, xrefs: 00007FF7D43BFDC6

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction ID: a3f1b4c5dd39a7fdf06227549610b84dbf5da7f08b0b063bf6a74a600c20b8d5
Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction Fuzzy Hash: C2112E32618B8182EB619F1AE44025DBBE4FB88B94F984239DB8D57B69DF3CD551C700

Function 00007FF7D43D073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D076C
GetDriveTypeW.KERNEL32 ref: 00007FF7D43D07AC

Strings

:, xrefs: 00007FF7D43D0795

Memory Dump Source

Source File: 00000000.00000002.2551020427.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000000.00000002.2550943551.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551045639.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551086157.00007FF7D43F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2551181651.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7d43b0000_check.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction ID: f0474487ab402a35ed49db9dd14db01e97ff72d3893b8bd66043a27432a91a68
Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction Fuzzy Hash: DF01846291820386FB30BF6AD4A127EA7A0EF88748FD4003FD54D66685DF2CE5048B24

Analysis Process: check.exePID: 2428, Parent PID: 180COMMON

Execution Graph

Execution Coverage:	24.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	397
Total number of Limit Nodes:	9

Executed Functions

Function 00007FF7D43B1000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to start splash screen!, xrefs: 00007FF7D43B3ED4
Could not create temporary directory!, xrefs: 00007FF7D43B3CBF
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF7D43B3B32
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF7D43B3D35
Failed to remove temporary directory: %s, xrefs: 00007FF7D43B3FCF
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF7D43B3882, 00007FF7D43B38AF
pkg, xrefs: 00007FF7D43B39BE
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF7D43B3C61
VCRUNTIME140.dll, xrefs: 00007FF7D43B3DB1
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF7D43B3E0A
pyi-disable-windowed-traceback, xrefs: 00007FF7D43B3BB2
_PYI_ARCHIVE_FILE, xrefs: 00007FF7D43B38D2, 00007FF7D43B39FF
Failed to convert DLL search path!, xrefs: 00007FF7D43B3DDC
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF7D43B3D12
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF7D43B3971
_PYI_SPLASH_IPC, xrefs: 00007FF7D43B3A23, 00007FF7D43B3EF5
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF7D43B3EA6
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF7D43B3EBB
MEI, xrefs: 00007FF7D43B3933
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF7D43B3A0B, 00007FF7D43B3CD4, 00007FF7D43B3F6B
pyi-python-flag, xrefs: 00007FF7D43B3AD6
pyi-contents-directory, xrefs: 00007FF7D43B3B8D
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF7D43B3BE8
pyi-runtime-tmpdir, xrefs: 00007FF7D43B3B68
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF7D43B39DE
Failed to load splash screen resources!, xrefs: 00007FF7D43B3E85
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF7D43B3A17, 00007FF7D43B3A2F, 00007FF7D43B3A9B
Py_GIL_DISABLED, xrefs: 00007FF7D43B3AF4

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: d52c1960cc45de78c26c9f57622ace5a14626686e839aa839f1fc42fe00fc1f1
Instruction ID: 72604c8a9e511e5cb9410b9843d910246a1d3d0b788b77069c43dc6b5e438fa2
Opcode Fuzzy Hash: d52c1960cc45de78c26c9f57622ace5a14626686e839aa839f1fc42fe00fc1f1
Instruction Fuzzy Hash: 93324D21A0869251FA29FF2ED4D53BDBA61AF54780FC4403BDA5D632D6EF2CE558C320

Function 00007FF7D43D6964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7D43D6698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D66D9
Part of subcall function 00007FF7D43D6698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D6757
Part of subcall function 00007FF7D43D6698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D67A8

CreateFileW.KERNEL32 ref: 00007FF7D43D6A6A
CreateFileW.KERNEL32 ref: 00007FF7D43D6ABA
GetLastError.KERNEL32 ref: 00007FF7D43D6AEA
GetFileType.KERNEL32 ref: 00007FF7D43D6AFF
GetLastError.KERNEL32 ref: 00007FF7D43D6B09
CloseHandle.KERNEL32 ref: 00007FF7D43D6B3C
CloseHandle.KERNEL32 ref: 00007FF7D43D6C9F
CreateFileW.KERNEL32 ref: 00007FF7D43D6CD4
GetLastError.KERNEL32 ref: 00007FF7D43D6CE3

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: a2b61ef57d07491306da69aca65d17919b21c11bc0ac9c0a220df93c96c0ae77
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: A8C1C436B24A4185EF10DF6AC4906AC7761FB49BA8B89423ADE2E677D4CF38D465C310

Function 00007FF7D43B9280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF7D43B92B3
FindClose.KERNEL32 ref: 00007FF7D43B92C2

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: 2ea62085fb6fed321ee299051854f853263a509f7a04d2f2306ecf974ddb865e
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: 6AF0A422A1864586F7609F69F4C976EB750AB88364FC4433AD96D16AD4DF3CD048CA14

Function 00007FF7D43B1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7D43B7F90: _fread_nolock.LIBCMT ref: 00007FF7D43B803A

_fread_nolock.LIBCMT ref: 00007FF7D43B1A1B

Part of subcall function 00007FF7D43B2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7D43B1B6A), ref: 00007FF7D43B295E

Strings

Failed to read cookie!, xrefs: 00007FF7D43B1A2B
Could not read full TOC!, xrefs: 00007FF7D43B1B55
fseek, xrefs: 00007FF7D43B19F5
Failed to seek to cookie position!, xrefs: 00007FF7D43B19EE
calloc, xrefs: 00007FF7D43B1A68
Could not allocate buffer for TOC!, xrefs: 00007FF7D43B1B1B
fread, xrefs: 00007FF7D43B1A32, 00007FF7D43B1B5C
Error on file., xrefs: 00007FF7D43B1B8D
Could not allocate memory for archive structure!, xrefs: 00007FF7D43B1A61
malloc, xrefs: 00007FF7D43B1B22
MEI, xrefs: 00007FF7D43B1991

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: ee3080450604db9b79bcaf6ea9780d01564dfb64de786eed8711188a6f6cabc7
Instruction ID: 824d2473eb8f6171a6f50f58506528120b94b9b6566953afb56c3dcadc9151d2
Opcode Fuzzy Hash: ee3080450604db9b79bcaf6ea9780d01564dfb64de786eed8711188a6f6cabc7
Instruction Fuzzy Hash: FA818E71A0868686EF20EF2AE0C53BDB7A0AF84784FC4453BD98D67685DE3CE5458760

Function 00007FF7D43B1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fseek, xrefs: 00007FF7D43B14E5
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7D43B14DE
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7D43B1518
fread, xrefs: 00007FF7D43B15E6
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7D43B15DF
malloc, xrefs: 00007FF7D43B151F
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7D43B149F

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 3b379cfcfb123380b7207fe9b70de138e86c6d94a3f87720caf8569e0a5fbbd0
Instruction ID: dc89ebf44c6970b862194ff76bac970682eb25d7dcc65b0d4d58dde868ff8b6a
Opcode Fuzzy Hash: 3b379cfcfb123380b7207fe9b70de138e86c6d94a3f87720caf8569e0a5fbbd0
Instruction Fuzzy Hash: 48416021B0868296EE10EF2BD4816BDF790AF44794FC4853BED5D27B99DE3CE5018B24

Function 00007FF7D43B1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7D43B12BA
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF7D43B141E
1.3.1, xrefs: 00007FF7D43B1249
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF7D43B12EF
malloc, xrefs: 00007FF7D43B12C1, 00007FF7D43B12F6
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF7D43B1276

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 9b2da8e32cee601306ebcebf5d16e93c03482fa50eddd1a53150bf2cf71a648a
Instruction ID: 512ef90e2a641a1b6f1e16ff55588882a023082317670638f7f77c411bf65467
Opcode Fuzzy Hash: 9b2da8e32cee601306ebcebf5d16e93c03482fa50eddd1a53150bf2cf71a648a
Instruction Fuzzy Hash: 8651A422A0864285EA60BF1BE4803BEB6A0AF85794FD4413AED4D677D5EF3CE5018710

Function 00007FF7D43B36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF7D43B3804), ref: 00007FF7D43B36E1
GetLastError.KERNEL32(?,00007FF7D43B3804), ref: 00007FF7D43B36EB

Part of subcall function 00007FF7D43B2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7D43B3706,?,00007FF7D43B3804), ref: 00007FF7D43B2C9E
Part of subcall function 00007FF7D43B2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7D43B3706,?,00007FF7D43B3804), ref: 00007FF7D43B2D63
Part of subcall function 00007FF7D43B2C50: MessageBoxW.USER32 ref: 00007FF7D43B2D99

Strings

Failed to resolve full path to executable %ls., xrefs: 00007FF7D43B3739
Failed to convert executable path to UTF-8., xrefs: 00007FF7D43B3790
GetModuleFileNameW, xrefs: 00007FF7D43B36FA
\\?\, xrefs: 00007FF7D43B375A
Failed to obtain executable path., xrefs: 00007FF7D43B36F3

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: 54fdb2aee952bfb876dd1f97624ae0d90af744088bee90f44ca2fdcae74792ae
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: 68217461B1864241FA24BF2EE8953BEB650BF88354FC4423FD95DA65D5EF2CE504C720

Function 00007FF7D43CBA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43CBE89

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c3f57b6cd1f658b3a1cfdd45bc75f21d2f6c8be166295f0eb40444005b392bd6
Instruction ID: 46f618c365f3b61c13a918a82f21e23b62b14c6f084f718338dfb476e8e12c63
Opcode Fuzzy Hash: c3f57b6cd1f658b3a1cfdd45bc75f21d2f6c8be166295f0eb40444005b392bd6
Instruction Fuzzy Hash: FCC1052290C68682E770AF1EE4842BDB751EB81B90FD5413AEA4D273D1CF7DE8658720

Function 00007FF7D43B6360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ucrtbase.dll, xrefs: 00007FF7D43B63DD
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF7D43B6456
Failed to load Python DLL '%ls'., xrefs: 00007FF7D43B64A7
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF7D43B63C7
LoadLibrary, xrefs: 00007FF7D43B64AE
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF7D43B6407

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
Instruction ID: 4980c3ae8c1dface8318fa395133210b6a369ad0ec51ea86e8da67645f78fae6
Opcode Fuzzy Hash: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
Instruction Fuzzy Hash: 4941C121A18A8691EA21FF2AE4953EDB711FF44380FD4013BDA5C63296EF3CE615C760

Function 00007FF7D43C5628 Relevance: 6.1, APIs: 4, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C5655
CreateFileW.KERNEL32 ref: 00007FF7D43C5694
CloseHandle.KERNEL32 ref: 00007FF7D43C56C9

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction ID: cb4340ffe6a61bd02863a6f98e75e545ef4d1cf6a32b3533f7f837bdd9b72c2b
Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction Fuzzy Hash: 02419422D1879183F760AF26D59036DB260FBA47A4FD0933AE65C23AD5DF7CA5E08710

Function 00007FF7D43BCC3C Relevance: 4.6, APIs: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7D43BCE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7D43BCE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7D43BCC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF7D43BCCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7D43BCD21

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: ca7aba65b0d833ff85e6038476c38b746f72a8c5657f5fcb8d65b346c8953189
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: AB312725E0854681FE64BF6FD4A13BDAA919F41384FC4403FDA0E6B2D7DE2DA805CA70

Function 00007FF7D43C013C Relevance: 3.2, APIs: 2, Instructions: 177
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C0180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C0277

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: a68b6c7c9558c27f314af6e5e2e84bb04beaf29493bdcea112f05246d962c533
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: 0651B725A092C186EA34BEAFD48067EE5B1AF44BA4FD8473ADD7D277C5CE3CD4018620

Function 00007FF7D43CC134 Relevance: 3.0, APIs: 2, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF7D43CC2CD), ref: 00007FF7D43CC180
GetLastError.KERNEL32(?,?,?,?,?,00007FF7D43CC2CD), ref: 00007FF7D43CC18A

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: d63f7d062aac529168779fd1bbb4d0ce98b311ed47d1d12d8395a7d2e0dd5a70
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: 81119061A08A8181DA20AF2BE89416DA261AB85BF4FD4433AEE7D177D9CF38D4118700

Function 00007FF7D43CAB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF7D43CA9D5,?,?,00000000,00007FF7D43CAA8A), ref: 00007FF7D43CABC6
GetLastError.KERNEL32(?,?,?,00007FF7D43CA9D5,?,?,00000000,00007FF7D43CAA8A), ref: 00007FF7D43CABD0

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: 2974cffc636d9c0a5b30270d41910ad8720be1d0298acce6a24c4eb682af1a77
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: 3021A411B0868242FEB4BF6BD4D437D92929F847A0FC8423FDA6E677D5DE6DA4414320

Function 00007FF7D43CBEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43CBED4

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: 1bd4e377664ba382f39f2238ad2dd08f07c6639419b99fc771439467a45d3df4
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: B641B63291824587EA34AF2EF58027DB3A0EB55B91FD0013AD68E977D1CF2CE412CB61

Function 00007FF7D43B7F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF7D43B803A

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 09e0edd5bfc77bffd2ce204413b85077ed061b6568614956a0855b02b1706b89
Instruction ID: 070fb9b29dd4c9aeb36f998130997601873fd2dd2ac891ff60cd9d595a3629b6
Opcode Fuzzy Hash: 09e0edd5bfc77bffd2ce204413b85077ed061b6568614956a0855b02b1706b89
Instruction Fuzzy Hash: CC21B911B18A9257FA14BE1BE5443BEEA51BF45BC4FC84436EE4C27786CE7DE045C220

Function 00007FF7D43CB93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43CB9C2

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction ID: a0e2f4fa19cf3fc71402316e751c3928f6e32245b25b369d47c92bfb2bc7bd51
Opcode Fuzzy Hash: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction Fuzzy Hash: 9D315E22A1861286E7217F5BD88137CAA90AF90BA5FD2013FE95D373D2CE7CA4518731

Function 00007FF7D43C5F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C5EF9

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 22fb7ce461a002467d1de3ea9f6010fccbafd4eb18a8ad8cafcd1aeef6ae697b
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: B1115421A1C751C2EB70BF5AD4802BDE664AF95B84FC4443BEA4C77A96CF7DE4008720

Function 00007FF7D43D6354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43D6377

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: c260e068dfd4336831760958f96e365d554504c99bc46d85a34a761bd948f96f
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: 3A21B332608A4187DB60AF1ED48037DB6A0BB84B54FEC4239E66D576D9DF3CD4218B10

Function 00007FF7D43C03BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C0410

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 38393aa62a37908c52c274a31113e7b95a9191b3a2ebd4ad43fc42d74e7f1260
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: FF018221A0879541EA24BF9BD94016EE6B1AF95FE0FD8463ADE5C23BD6CE3CD4018710

Function 00007FF7D43B8E80 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7D43B9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7D43B45F4,00000000,00007FF7D43B1985), ref: 00007FF7D43B93C9

LoadLibraryExW.KERNEL32(?,00007FF7D43B6476,?,00007FF7D43B336E), ref: 00007FF7D43B8EA2

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
Instruction ID: a459e64fdf943f6892c85f0476e2cc4c7540d35de5de8e45d9300290fc28e0b9
Opcode Fuzzy Hash: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
Instruction Fuzzy Hash: 40D08C01B2464542EA54BB6BFA8662D9251AF89BC0FC8C03AEE0D13B5AED3CD0414B00

Function 00007FF7D43CD5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF7D43C0C90,?,?,?,00007FF7D43C22FA,?,?,?,?,?,00007FF7D43C3AE9), ref: 00007FF7D43CD63A

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: 3744a3660ed03ebe4dab6f64b2eb9a77a75bb8c579c67eae31f4696e142a362d
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: 69F0FE50B0928645FE747F7BD8C167DD2905F847A0FC8073AED2E652C1DE2CA490D530

Non-executed Functions

Function 00007FF7D43CA614 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7D43CA68D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7D43CA6A5
RtlVirtualUnwind.KERNEL32 ref: 00007FF7D43CA6E0
IsDebuggerPresent.KERNEL32 ref: 00007FF7D43CA719
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7D43CA723
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7D43CA72E

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction ID: 0388e69b761e88577bb386e707efe884bc6ad6fe54bddd7aaf6b552db4ca4395
Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction Fuzzy Hash: 40318636608B8186DB60EF2AE8843AEB3A4FB84754FD4013AEA9D53B55DF3CC555CB10

Function 00007FF7D43B1600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON

Download Yara Rule

Strings

fseek, xrefs: 00007FF7D43B16E1
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7D43B16DA
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF7D43B1742
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF7D43B17CA
fopen, xrefs: 00007FF7D43B1663
fread, xrefs: 00007FF7D43B17E6
fwrite, xrefs: 00007FF7D43B17D1
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7D43B17DF
Failed to extract %s: failed to open target file!, xrefs: 00007FF7D43B165C
malloc, xrefs: 00007FF7D43B1749
Failed to create symbolic link %s!, xrefs: 00007FF7D43B1622
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7D43B16A2

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: b9285a2b8eead47260df905aa84027fab8c243695f15498384381cad23baaecb
Instruction ID: 44ab690e0a8d3ef547bebc3befc8e2bfaa0f28e3717a0c25ac393cc95f2bc013
Opcode Fuzzy Hash: b9285a2b8eead47260df905aa84027fab8c243695f15498384381cad23baaecb
Instruction Fuzzy Hash: E551AC21B0868292EE10BF5BE4812ADB7A0BF447A4FC4413BEE5C67796DF3CE5558320

Function 00007FF7D43B8660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF7D43B3CBB), ref: 00007FF7D43B8704
GetCurrentProcessId.KERNEL32(?,00000000,00007FF7D43B3CBB), ref: 00007FF7D43B870A
CreateDirectoryW.KERNEL32(?,00000000,00007FF7D43B3CBB), ref: 00007FF7D43B874C

Part of subcall function 00007FF7D43B8830: GetEnvironmentVariableW.KERNEL32(00007FF7D43B388E), ref: 00007FF7D43B8867
Part of subcall function 00007FF7D43B8830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7D43B8889

Part of subcall function 00007FF7D43C8238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7D43C8251

Part of subcall function 00007FF7D43B2810: MessageBoxW.USER32 ref: 00007FF7D43B28EA

Strings

LOADER: failed to set the TMP environment variable., xrefs: 00007FF7D43B86DC
_MEI%d, xrefs: 00007FF7D43B8712
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF7D43B877E
TMP, xrefs: 00007FF7D43B86C2
TMP, xrefs: 00007FF7D43B869C, 00007FF7D43B87A3

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: e09d7b167afd2147c660aa35db8091a51c6906773476d98e2344c67e24741bda
Instruction ID: 97aca771e80ed60011dac2db8a3ed92ecbb7f76a6c283bee24f91f5bcec03904
Opcode Fuzzy Hash: e09d7b167afd2147c660aa35db8091a51c6906773476d98e2344c67e24741bda
Instruction Fuzzy Hash: E6419E11A19A8245FA24BF2FD8D53BDA690AF847C4FC4413BED4D7779AEE3CE5018220

Function 00007FF7D43B8570 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7D43B8590
OpenProcessToken.ADVAPI32 ref: 00007FF7D43B85A3
GetTokenInformation.ADVAPI32 ref: 00007FF7D43B85C8
GetLastError.KERNEL32 ref: 00007FF7D43B85D2
GetTokenInformation.ADVAPI32 ref: 00007FF7D43B8612
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7D43B862E
CloseHandle.KERNEL32 ref: 00007FF7D43B8646

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: fa90e23b90d603ff8a1fc3170628a297920662056bab6e12f28c88f429b12389
Instruction ID: a1977d4aa51ccf2ba80608171d989dd2b3a52bd4cdcd4f9d9124cf450013e41a
Opcode Fuzzy Hash: fa90e23b90d603ff8a1fc3170628a297920662056bab6e12f28c88f429b12389
Instruction Fuzzy Hash: 2D214121A0C64242EA14AF5EF58432EF7A0EF857B0FD4063AEAAD53AD8DF6CD5458710

Function 00007FF7D43D7D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7D43D7D9D
GetLastError.KERNEL32 ref: 00007FF7D43D7DA9
CloseHandle.KERNEL32 ref: 00007FF7D43D7DC1
CreateFileW.KERNEL32 ref: 00007FF7D43D7DEC
WriteConsoleW.KERNEL32 ref: 00007FF7D43D7E0B

Strings

CONOUT$, xrefs: 00007FF7D43D7DCD

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction ID: dfa90c1147b4d11e9bcbade96c347cda9839931ae4960ae6e076524e139af5ce
Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction Fuzzy Hash: BF11B421A18A4582EB50AF1BE88532DE2A0FB88FF4FC40239ED5D97794CF3CD4048714

Function 00007FF7D43CC5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7D43CC61F
WriteFile.KERNEL32 ref: 00007FF7D43CC8E7
WriteFile.KERNEL32 ref: 00007FF7D43CC92D
GetLastError.KERNEL32 ref: 00007FF7D43CC9E3

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction ID: 2f57006a0b500a10ff1b2df4e1c928653548a4b49e7b0898cad29fc126e82174
Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction Fuzzy Hash: EED11772B18A4189E720DF6ED4802ACB7B1FB55798BC4423ADE5DA7B89DE38D406C710

Function 00007FF7D43CF5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF7D43CF5F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7D43CF64A

Strings

:, xrefs: 00007FF7D43CF60E

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
Instruction ID: 7effb4273dc702b65dd1892bbd8c6db247535ed10d4ff8193a389e4ea01fe9f3
Opcode Fuzzy Hash: e8d367c4ea258391d160676196091cc4497c978f166048fd005a5cb1bdaac227
Instruction Fuzzy Hash: 03219362A0868181FB30AF1AD08426DA3A1FB88B44FC6413FDA4D636D4DF7CE955CB61

Function 00007FF7D43BFD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF7D43BFD98
RaiseException.KERNEL32 ref: 00007FF7D43BFDD9

Strings

csm, xrefs: 00007FF7D43BFDC6

Memory Dump Source

Source File: 00000002.00000002.2528116293.00007FF7D43B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7D43B0000, based on PE: true

Associated: 00000002.00000002.2528072122.00007FF7D43B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528173783.00007FF7D43DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528240204.00007FF7D43F1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2528334071.00007FF7D43F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7d43b0000_check.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction ID: a3f1b4c5dd39a7fdf06227549610b84dbf5da7f08b0b063bf6a74a600c20b8d5
Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction Fuzzy Hash: C2112E32618B8182EB619F1AE44025DBBE4FB88B94F984239DB8D57B69DF3CD551C700

Source: check.exe, 00000002.00000002.2525066678.0000017125EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: check.exe, 00000000.00000003.2053458916.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: check.exe, 00000000.00000003.2022727094.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredID
Source: check.exe, 00000000.00000003.2011027726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039966314.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013713122.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016374605.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040435735.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037653938.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2023194086.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014461201.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037890161.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038525101.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C9F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038259241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2010259595.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039620305.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037736775.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014958772.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037551274.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016573026.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037814241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040329780.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: check.exe, 00000000.00000003.2052522544.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053232593.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2063177659.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2065052796.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2055354003.000001BA76C9B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053587506.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052773045.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053154074.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057847160.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052921054.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057364949.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052636513.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2064914982.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2055354003.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053035794.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2058308533.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053458916.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: check.exe, 00000000.00000003.2011027726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039966314.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013713122.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016374605.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040435735.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037653938.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2023194086.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014461201.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037890161.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038525101.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C9F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038259241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2010259595.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039620305.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037736775.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014958772.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037551274.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016573026.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037814241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040329780.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: check.exe, 00000000.00000003.2011027726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039966314.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013713122.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016374605.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040435735.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037653938.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2023194086.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014461201.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037890161.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038525101.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038259241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2010259595.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039620305.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037736775.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014958772.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037551274.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016573026.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037814241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040329780.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013080726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: check.exe, 00000000.00000003.2052522544.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053232593.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2063177659.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2065052796.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2055354003.000001BA76C9B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053587506.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052773045.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053154074.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057847160.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052921054.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057364949.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052636513.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2064914982.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053035794.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2058308533.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053458916.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: check.exe, 00000000.00000003.2052522544.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053232593.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2063177659.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2065052796.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053587506.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052773045.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053154074.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057847160.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052921054.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057364949.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052636513.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2064914982.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2055354003.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053035794.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2058308533.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053458916.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: check.exe, 00000000.00000003.2052522544.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053232593.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2063177659.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2065052796.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2055354003.000001BA76C9B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053587506.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052773045.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053154074.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057847160.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052921054.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057364949.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052636513.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2064914982.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2055354003.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053035794.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2058308533.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053458916.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: check.exe, 00000002.00000003.2103652909.0000017125A07000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2075752715.0000017125A10000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125842000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: check.exe, 00000002.00000003.2103211217.0000017125ABD000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524141342.000001712555C000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: check.exe, 00000002.00000002.2524141342.000001712555C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl%q
Source: check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: check.exe, 00000002.00000002.2524430915.0000017125842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlodr0
Source: check.exe, 00000002.00000002.2524430915.0000017125ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: check.exe, 00000002.00000002.2524430915.0000017125928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: check.exe, 00000002.00000003.2103211217.0000017125ABD000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: check.exe, 00000002.00000002.2524430915.0000017125928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: check.exe, 00000002.00000002.2524430915.0000017125ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: check.exe, 00000000.00000003.2052522544.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053232593.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2063177659.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2065052796.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2055354003.000001BA76C9B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053587506.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052773045.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053154074.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057847160.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052921054.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057364949.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052636513.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2064914982.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2055354003.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053035794.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2058308533.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053458916.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: check.exe, 00000000.00000003.2011027726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039966314.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013713122.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016374605.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040435735.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037653938.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2023194086.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014461201.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037890161.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038525101.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C9F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038259241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2010259595.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039620305.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037736775.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014958772.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037551274.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016573026.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037814241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040329780.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: check.exe, 00000000.00000003.2011027726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039966314.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013713122.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016374605.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040435735.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037653938.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2023194086.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014461201.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037890161.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038525101.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038259241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2010259595.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039620305.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037736775.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014958772.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037551274.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016573026.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037814241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040329780.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013080726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: check.exe, 00000000.00000003.2052522544.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053232593.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2063177659.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2065052796.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2055354003.000001BA76C9B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053587506.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052773045.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053154074.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057847160.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052921054.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057364949.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052636513.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2064914982.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053035794.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2058308533.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053458916.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: check.exe, 00000000.00000003.2052522544.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053232593.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2063177659.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2065052796.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053587506.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052773045.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053154074.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057847160.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052921054.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057364949.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052636513.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2064914982.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2055354003.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053035794.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2058308533.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053458916.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: check.exe, 00000000.00000003.2053458916.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: check.exe, 00000000.00000003.2011027726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039966314.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013713122.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016374605.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040435735.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037653938.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2023194086.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014461201.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037890161.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038525101.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C9F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038259241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2010259595.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039620305.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037736775.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014958772.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037551274.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016573026.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037814241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040329780.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: check.exe, 00000000.00000003.2038644507.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl
Source: check.exe, 00000000.00000003.2011027726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039966314.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013713122.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016374605.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040435735.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037653938.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2023194086.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014461201.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037890161.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038525101.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038259241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2010259595.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039620305.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037736775.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014958772.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037551274.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016573026.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037814241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040329780.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013080726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: check.exe, 00000000.00000003.2011027726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039966314.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013713122.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016374605.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040435735.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037653938.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2023194086.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014461201.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037890161.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038525101.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C9F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038259241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2010259595.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039620305.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037736775.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014958772.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037551274.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016573026.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037814241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040329780.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: check.exe, 00000000.00000003.2052522544.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053232593.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2063177659.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2065052796.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2055354003.000001BA76C9B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053587506.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052773045.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053154074.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057847160.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052921054.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057364949.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052636513.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2064914982.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053035794.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2058308533.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053458916.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: check.exe, 00000000.00000003.2011027726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039966314.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013713122.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016374605.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040435735.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037653938.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2023194086.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014461201.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037890161.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038525101.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C9F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038259241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2010259595.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039620305.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037736775.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014958772.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037551274.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016573026.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037814241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040329780.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: check.exe, 00000000.00000003.2011027726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039966314.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013713122.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016374605.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040435735.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037653938.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2023194086.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014461201.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037890161.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038525101.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038259241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2010259595.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039620305.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037736775.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014958772.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037551274.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016573026.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037814241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040329780.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013080726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: check.exe, 00000002.00000002.2525066678.0000017125EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: check.exe, 00000002.00000002.2525176467.00000171260DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl.
Source: check.exe, 00000002.00000002.2524430915.0000017125842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: check.exe, 00000002.00000002.2524430915.0000017125928000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2076498290.0000017125928000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2076498290.00000171259D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2076498290.0000017125985000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: check.exe, 00000002.00000002.2525066678.0000017125EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.esO
Source: check.exe, 00000000.00000003.2052522544.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053232593.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2063177659.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2065052796.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2055354003.000001BA76C9B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053587506.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052773045.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053154074.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057847160.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052921054.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057364949.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052636513.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2064914982.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053035794.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2058308533.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053458916.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: check.exe, 00000000.00000003.2052522544.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053232593.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2063177659.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2065052796.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2055354003.000001BA76C9B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053587506.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052773045.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053154074.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057847160.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052921054.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057364949.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052636513.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2064914982.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2055354003.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053035794.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2058308533.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053458916.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: check.exe, 00000000.00000003.2011027726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039966314.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052522544.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013713122.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016374605.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053232593.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040435735.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2063177659.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2065052796.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037653938.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2023194086.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014461201.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037890161.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038525101.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C9F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2055354003.000001BA76C9B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038259241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2010259595.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039620305.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037736775.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: check.exe, 00000000.00000003.2011027726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039966314.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013713122.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016374605.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040435735.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037653938.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2023194086.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014461201.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037890161.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038525101.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C9F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038259241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2010259595.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039620305.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037736775.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014958772.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037551274.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016573026.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037814241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040329780.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: check.exe, 00000000.00000003.2011027726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039966314.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013713122.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016374605.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040435735.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037653938.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2023194086.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014461201.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037890161.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038525101.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038259241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2010259595.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039620305.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037736775.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014958772.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037551274.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016573026.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037814241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040329780.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013080726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: check.exe, 00000000.00000003.2052522544.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053232593.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2063177659.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2065052796.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053587506.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052773045.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053154074.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057847160.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052921054.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057364949.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052636513.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2064914982.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2055354003.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053035794.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2058308533.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053458916.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: qtbase_cs.qm.0.dr	String found in binary or memory: http://qt-project.org/
Source: qtbase_cs.qm.0.dr	String found in binary or memory: http://qt.io/
Source: qtbase_cs.qm.0.dr	String found in binary or memory: http://qt.io/licensing/
Source: check.exe, 00000002.00000002.2524141342.000001712555C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: check.exe, 00000002.00000003.2103652909.0000017125A07000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/#
Source: check.exe, 00000002.00000002.2524141342.000001712555C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: check.exe, 00000002.00000002.2524141342.000001712555C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/E
Source: check.exe, 00000002.00000003.2103652909.0000017125A07000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/rQ
Source: check.exe, 00000002.00000003.2103652909.0000017125A07000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/rQrSrT3)
Source: check.exe, 00000002.00000002.2524982021.0000017125DE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: check.exe, 00000002.00000002.2531739784.00007FF8A696A000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: check.exe, 00000002.00000002.2524430915.0000017125928000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: check.exe, 00000002.00000002.2531739784.00007FF8A696A000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: http://www.color.org)
Source: check.exe, 00000000.00000003.2052522544.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053232593.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2063177659.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2065052796.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2055354003.000001BA76C9B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053587506.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052773045.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053154074.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057847160.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052921054.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2057364949.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2052636513.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2064914982.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053035794.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2058308533.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2053458916.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524141342.000001712555C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: check.exe, 00000002.00000003.2103211217.0000017125ABD000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125ABD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: check.exe, 00000002.00000003.2103211217.0000017125B13000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: check.exe, 00000002.00000003.2076498290.000001712588F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: check.exe, 00000002.00000002.2523963332.00000171250FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: check.exe, 00000002.00000002.2524068336.00000171252E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: check.exe, 00000002.00000002.2523806883.0000017124EA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: check.exe, 00000002.00000002.2523806883.0000017124EA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: check.exe, 00000002.00000002.2523806883.0000017124F24000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: check.exe, 00000002.00000002.2523806883.0000017124EA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: check.exe, 00000002.00000002.2523806883.0000017124F24000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: check.exe, 00000002.00000002.2523806883.0000017124EA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: check.exe, 00000002.00000002.2523806883.0000017124EA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: check.exe, 00000002.00000002.2523806883.0000017124EA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: check.exe, 00000002.00000002.2523963332.00000171250A7000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2068859585.00000171250C3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2069289755.00000171250C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: check.exe, 00000002.00000002.2524844779.0000017125BE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: check.exe, 00000002.00000003.2103652909.0000017125A07000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2075752715.0000017125A10000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: check.exe, 00000002.00000002.2523963332.00000171250A7000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2068859585.00000171250C3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2523616723.0000017123588000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2069289755.00000171250C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: check.exe, 00000002.00000002.2526575512.0000017126920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: check.exe, 00000002.00000002.2525176467.00000171260A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: check.exe, 00000002.00000002.2523806883.0000017124F24000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: check.exe, 00000002.00000003.2069289755.00000171250C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: check.exe, 00000002.00000002.2523963332.00000171250A7000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2068859585.00000171250C3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2523616723.0000017123588000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2069289755.00000171250C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: check.exe, 00000002.00000002.2523963332.00000171250A7000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2071604842.0000017125584000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2069894042.0000017125597000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2070723164.0000017125584000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2069894042.0000017125535000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2071357779.0000017125584000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: check.exe, 00000002.00000002.2524357911.00000171256E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
Source: check.exe, 00000002.00000002.2523963332.00000171250A7000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2068859585.00000171250C3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2523616723.0000017123588000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2069289755.00000171250C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: check.exe, 00000002.00000002.2524844779.0000017125BE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: check.exe, 00000002.00000003.2075752715.0000017125A05000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: check.exe, 00000002.00000002.2524982021.0000017125DE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: check.exe, 00000002.00000002.2524982021.0000017125DE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: check.exe, 00000002.00000003.2103652909.0000017125A07000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2075752715.0000017125A10000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: check.exe, 00000002.00000003.2076498290.00000171259D1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2525176467.00000171260CC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: check.exe, 00000002.00000003.2072623547.00000171253FB000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125842000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2072020082.0000017125544000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524141342.000001712555C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: check.exe, 00000002.00000003.2075483897.0000017125AC5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: check.exe, 00000002.00000002.2524357911.00000171256E0000.00000004.00001000.00020000.00000000.sdmp, check.exe, 00000002.00000002.2526575512.0000017126998000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/dist/v22.11.0/node-v22.11.0-win-x64.zip
Source: check.exe, 00000002.00000002.2526575512.0000017126998000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/dist/v22.11.0/node-v22.11.0-win-x64.zip&
Source: check.exe, 00000002.00000002.2524982021.0000017125DE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata
Source: check.exe, 00000002.00000003.2076498290.00000171259D1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/#file-format
Source: check.exe, 00000002.00000003.2076498290.00000171259D1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file
Source: check.exe, 00000002.00000002.2524916171.0000017125CE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: check.exe, 00000002.00000003.2071604842.00000171254C6000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2070260521.00000171254C6000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2071108618.00000171254C6000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2067482215.00000171250A1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2069289755.00000171250C3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524287430.00000171255E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: check.exe, 00000002.00000002.2539316123.00007FF8A8CF8000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: check.exe, 00000002.00000002.2525176467.00000171260A4000.00000004.00001000.00020000.00000000.sdmp, check.exe, 00000002.00000003.2072020082.0000017125544000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: check.exe, 00000002.00000002.2526575512.0000017126920000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: check.exe, 00000002.00000002.2524430915.0000017125928000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2076498290.0000017125928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: check.exe, 00000002.00000003.2073528141.0000017125929000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2073047959.00000171254A6000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2072563086.0000017125897000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2074043295.00000171254A6000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2072563086.0000017125928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: check.exe, 00000002.00000003.2103652909.0000017125A07000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2075752715.0000017125A10000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: check.exe, 00000002.00000002.2524916171.0000017125CE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: check.exe, 00000002.00000002.2524916171.0000017125CE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: check.exe, 00000000.00000003.2011027726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039966314.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2013713122.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016374605.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040435735.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037653938.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2023194086.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014461201.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037890161.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038525101.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2022727094.000001BA76C9F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2038259241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2010259595.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2039620305.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037736775.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2014958772.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037551274.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2016573026.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2037814241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000000.00000003.2040329780.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: check.exe, 00000000.00000003.2057847160.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2535350111.00007FF8A8000000.00000002.00000001.01000000.00000014.sdmp, check.exe, 00000002.00000002.2535157227.00007FF8A7F24000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: check.exe, 00000002.00000003.2072623547.00000171253FB000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125842000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2072020082.0000017125544000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: check.exe, 00000002.00000003.2075483897.0000017125AC5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: check.exe, 00000002.00000002.2539316123.00007FF8A8CF8000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: check.exe, 00000002.00000003.2076498290.00000171259D1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: check.exe, 00000002.00000003.2103211217.0000017125B90000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: check.exe, 00000002.00000002.2524430915.0000017125842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: check.exe, 00000002.00000003.2103652909.0000017125A07000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000003.2075752715.0000017125A10000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524141342.00000171253E0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2524430915.0000017125985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43B1000	0_2_00007FF7D43B1000
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43D08C8	0_2_00007FF7D43D08C8
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43D6964	0_2_00007FF7D43D6964
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43B89E0	0_2_00007FF7D43B89E0
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43D5C00	0_2_00007FF7D43D5C00
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43CE570	0_2_00007FF7D43CE570
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43C5D30	0_2_00007FF7D43C5D30
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43C1D54	0_2_00007FF7D43C1D54
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43C35A0	0_2_00007FF7D43C35A0
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43D5E7C	0_2_00007FF7D43D5E7C
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43CDEF0	0_2_00007FF7D43CDEF0
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43C9EA0	0_2_00007FF7D43C9EA0
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43C1F60	0_2_00007FF7D43C1F60
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43C8794	0_2_00007FF7D43C8794
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43D9728	0_2_00007FF7D43D9728
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43C1740	0_2_00007FF7D43C1740
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43B9800	0_2_00007FF7D43B9800
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43D1874	0_2_00007FF7D43D1874
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43C80E4	0_2_00007FF7D43C80E4
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43D40AC	0_2_00007FF7D43D40AC
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43C2164	0_2_00007FF7D43C2164
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43C1944	0_2_00007FF7D43C1944
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43C39A4	0_2_00007FF7D43C39A4
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43CDA5C	0_2_00007FF7D43CDA5C
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43BA2DB	0_2_00007FF7D43BA2DB
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43C1B50	0_2_00007FF7D43C1B50
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43C2C10	0_2_00007FF7D43C2C10
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43D3C10	0_2_00007FF7D43D3C10
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43BA474	0_2_00007FF7D43BA474
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43D08C8	0_2_00007FF7D43D08C8
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43D6418	0_2_00007FF7D43D6418
Source: C:\Users\user\Desktop\check.exe	Code function: 0_2_00007FF7D43BACAD	0_2_00007FF7D43BACAD
Source: C:\Users\user\Desktop\check.exe	Code function: 2_2_00007FF7D43B1000	2_2_00007FF7D43B1000
Source: C:\Users\user\Desktop\check.exe	Code function: 2_2_00007FF7D43D6964	2_2_00007FF7D43D6964
Source: C:\Users\user\Desktop\check.exe	Code function: 2_2_00007FF7D43CE570	2_2_00007FF7D43CE570
Source: C:\Users\user\Desktop\check.exe	Code function: 2_2_00007FF7D43C5D30	2_2_00007FF7D43C5D30
Source: C:\Users\user\Desktop\check.exe	Code function: 2_2_00007FF7D43C1D54	2_2_00007FF7D43C1D54
Source: C:\Users\user\Desktop\check.exe	Code function: 2_2_00007FF7D43C35A0	2_2_00007FF7D43C35A0

Source: check.exe, 00000000.00000003.2011027726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Gui.dll( vs check.exe
Source: check.exe, 00000000.00000003.2039966314.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwindows.dll( vs check.exe
Source: check.exe, 00000000.00000003.2052522544.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs check.exe
Source: check.exe, 00000000.00000003.2007946068.000001BA76C91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dllT vs check.exe
Source: check.exe, 00000000.00000003.2013713122.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Qml.dll( vs check.exe
Source: check.exe, 00000000.00000003.2051674191.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs check.exe
Source: check.exe, 00000000.00000003.2016374605.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Svg.dll( vs check.exe
Source: check.exe, 00000000.00000003.2053232593.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs check.exe
Source: check.exe, 00000000.00000003.2040435735.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwindowsvistastyle.dll( vs check.exe
Source: check.exe, 00000000.00000003.2065052796.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs check.exe
Source: check.exe, 00000000.00000003.2037653938.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqsvgicon.dll( vs check.exe
Source: check.exe, 00000000.00000003.2023194086.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs check.exe
Source: check.exe, 00000000.00000003.2022727094.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs check.exe
Source: check.exe, 00000000.00000003.2022727094.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibEGL.dll. vs check.exe
Source: check.exe, 00000000.00000003.2014461201.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5QmlModels.dll( vs check.exe
Source: check.exe, 00000000.00000003.2037890161.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqico.dll( vs check.exe
Source: check.exe, 00000000.00000003.2038525101.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwbmp.dll( vs check.exe
Source: check.exe, 00000000.00000003.2038259241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqtga.dll( vs check.exe
Source: check.exe, 00000000.00000003.2010259595.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5DBus.dll( vs check.exe
Source: check.exe, 00000000.00000003.2039620305.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwebgl.dll( vs check.exe
Source: check.exe, 00000000.00000003.2037736775.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqgif.dll( vs check.exe
Source: check.exe, 00000000.00000003.2053587506.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_wmi.pyd. vs check.exe
Source: check.exe, 00000000.00000003.2052773045.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs check.exe
Source: check.exe, 00000000.00000003.2053154074.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs check.exe
Source: check.exe, 00000000.00000003.2057847160.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs check.exe
Source: check.exe, 00000000.00000003.2052422634.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs check.exe
Source: check.exe, 00000000.00000003.2037551274.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqtuiotouchplugin.dll( vs check.exe
Source: check.exe, 00000000.00000003.2016573026.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5WebSockets.dll( vs check.exe
Source: check.exe, 00000000.00000003.2037814241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqicns.dll( vs check.exe
Source: check.exe, 00000000.00000003.2040329780.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqxdgdesktopportal.dll( vs check.exe
Source: check.exe, 00000000.00000003.2052921054.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs check.exe
Source: check.exe, 00000000.00000003.2013080726.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Network.dll( vs check.exe
Source: check.exe, 00000000.00000003.2008470947.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140_1.dllT vs check.exe
Source: check.exe, 00000000.00000003.2052636513.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs check.exe
Source: check.exe, 00000000.00000003.2009071287.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Core.dll( vs check.exe
Source: check.exe, 00000000.00000003.2038644507.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwebp.dll( vs check.exe
Source: check.exe, 00000000.00000003.2064914982.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs check.exe
Source: check.exe, 00000000.00000003.2021051432.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs check.exe
Source: check.exe, 00000000.00000003.2039242883.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqoffscreen.dll( vs check.exe
Source: check.exe, 00000000.00000003.2037992789.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqjpeg.dll( vs check.exe
Source: check.exe, 00000000.00000003.2020867816.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs check.exe
Source: check.exe, 00000000.00000003.2038171488.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqsvg.dll( vs check.exe
Source: check.exe, 00000000.00000003.2038928031.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqminimal.dll( vs check.exe
Source: check.exe, 00000000.00000003.2053035794.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs check.exe
Source: check.exe, 00000000.00000003.2038361802.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqtiff.dll( vs check.exe
Source: check.exe, 00000000.00000003.2058308533.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs check.exe
Source: check.exe, 00000000.00000003.2053458916.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs check.exe
Source: check.exe	Binary or memory string: OriginalFilename vs check.exe
Source: check.exe, 00000002.00000002.2523750968.0000017124DE0000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs check.exe
Source: check.exe, 00000002.00000002.2546168051.00007FF8B8C1D000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs check.exe
Source: check.exe, 00000002.00000002.2546050631.00007FF8B8B43000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs check.exe
Source: check.exe, 00000002.00000002.2533094020.00007FF8A7133000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: OriginalFilenameQt5Widgets.dll( vs check.exe
Source: check.exe, 00000002.00000002.2546501944.00007FF8B93D2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs check.exe
Source: check.exe, 00000002.00000002.2529215262.00007FF8A62EB000.00000002.00000001.01000000.00000020.sdmp	Binary or memory string: OriginalFilenameqwindows.dll( vs check.exe
Source: check.exe, 00000002.00000002.2546387863.00007FF8B8F8E000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs check.exe
Source: check.exe, 00000002.00000002.2545584951.00007FF8B7E63000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs check.exe
Source: check.exe, 00000002.00000002.2535350111.00007FF8A8000000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilenamelibsslH vs check.exe
Source: check.exe, 00000002.00000002.2535157227.00007FF8A7F24000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs check.exe
Source: check.exe, 00000002.00000002.2545782227.00007FF8B8836000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs check.exe
Source: check.exe, 00000002.00000002.2546733749.00007FF8B9F7A000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs check.exe
Source: check.exe, 00000002.00000002.2544927657.00007FF8A8F30000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython313.dll. vs check.exe
Source: check.exe, 00000002.00000002.2535537369.00007FF8A809F000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dllT vs check.exe
Source: check.exe, 00000002.00000002.2534509198.00007FF8A771C000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs check.exe
Source: check.exe, 00000002.00000002.2546616918.00007FF8B9849000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs check.exe
Source: check.exe, 00000002.00000002.2532493461.00007FF8A6BE9000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: OriginalFilenameQt5Gui.dll( vs check.exe
Source: check.exe, 00000002.00000002.2536052027.00007FF8A8600000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenameQt5Core.dll( vs check.exe
Source: check.exe, 00000002.00000002.2546841506.00007FF8BA4F6000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenamemsvcp140_1.dllT vs check.exe
Source: check.exe, 00000002.00000002.2545044667.00007FF8B7842000.00000002.00000001.01000000.00000021.sdmp	Binary or memory string: OriginalFilenameqwindowsvistastyle.dll( vs check.exe
Source: check.exe, 00000002.00000002.2545469370.00007FF8B7E4A000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs check.exe
Source: check.exe, 00000002.00000002.2546277881.00007FF8B8CB6000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs check.exe

Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll0.0.dr	Static PE information: section name: _RDATA
Source: opengl32sw.dll.0.dr	Static PE information: section name: _RDATA
Source: qtuiotouchplugin.dll.0.dr	Static PE information: section name: .qtmetad
Source: qsvgicon.dll.0.dr	Static PE information: section name: .qtmetad
Source: MSVCP140.dll.0.dr	Static PE information: section name: .didat
Source: Qt5Core.dll.0.dr	Static PE information: section name: .qtmimed
Source: libcrypto-3.dll.0.dr	Static PE information: section name: .00cfg
Source: qgif.dll.0.dr	Static PE information: section name: .qtmetad
Source: qicns.dll.0.dr	Static PE information: section name: .qtmetad
Source: qico.dll.0.dr	Static PE information: section name: .qtmetad
Source: qjpeg.dll.0.dr	Static PE information: section name: .qtmetad
Source: qsvg.dll.0.dr	Static PE information: section name: .qtmetad
Source: qtga.dll.0.dr	Static PE information: section name: .qtmetad
Source: qtiff.dll.0.dr	Static PE information: section name: .qtmetad
Source: qwbmp.dll.0.dr	Static PE information: section name: .qtmetad
Source: qwebp.dll.0.dr	Static PE information: section name: .qtmetad
Source: qminimal.dll.0.dr	Static PE information: section name: .qtmetad
Source: libssl-3.dll.0.dr	Static PE information: section name: .00cfg
Source: python313.dll.0.dr	Static PE information: section name: PyRuntim
Source: qoffscreen.dll.0.dr	Static PE information: section name: .qtmetad
Source: qwebgl.dll.0.dr	Static PE information: section name: .qtmetad
Source: qwindows.dll.0.dr	Static PE information: section name: .qtmetad
Source: qxdgdesktopportal.dll.0.dr	Static PE information: section name: .qtmetad
Source: qwindowsvistastyle.dll.0.dr	Static PE information: section name: .qtmetad

Source:	Binary string: C:\Users\qt\work\qt\qtwebglplugin\plugins\platforms\qwebgl.pdb source: qwebgl.dll.0.dr
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\iconengines\qsvgicon.pdb source: check.exe, 00000000.00000003.2037653938.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\imageformats\qsvg.pdb source: check.exe, 00000000.00000003.2038171488.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\generic\qtuiotouchplugin.pdb source: check.exe, 00000000.00000003.2037551274.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: check.exe, 00000002.00000002.2535457706.00007FF8A8065000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: check.exe, 00000000.00000003.2037890161.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: check.exe, 00000002.00000002.2534926418.00007FF8A7DE2000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: check.exe, 00000000.00000003.2051674191.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2546685885.00007FF8B9F74000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: check.exe, 00000000.00000003.2021051432.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2546575032.00007FF8B9845000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: check.exe, 00000000.00000003.2052422634.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb%% source: check.exe, 00000002.00000002.2544997796.00007FF8B7837000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb source: check.exe, 00000002.00000002.2544997796.00007FF8B7837000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: check.exe, 00000002.00000002.2546344531.00007FF8B8F83000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwebp.pdb source: qwebp.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: check.exe, 00000000.00000003.2052921054.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2546119308.00007FF8B8C16000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: check.exe, 00000000.00000003.2037890161.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\generic\qtuiotouchplugin.pdb source: check.exe, 00000000.00000003.2037551274.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbT source: check.exe, 00000002.00000002.2535757695.00007FF8A8526000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: check.exe, 00000002.00000002.2531739784.00007FF8A696A000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: check.exe, 00000000.00000003.2053035794.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2545983280.00007FF8B8B3B000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: check.exe, 00000000.00000003.2052522544.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2546452678.00007FF8B93CD000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: check.exe, 00000000.00000003.2053232593.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2545541797.00007FF8B7E59000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: check.exe, 00000002.00000002.2539316123.00007FF8A8CF8000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: check.exe, 00000000.00000003.2052422634.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: check.exe, 00000000.00000003.2020867816.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdbBB source: check.exe, 00000000.00000003.2038361802.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platformthemes\qxdgdesktopportal.pdb source: check.exe, 00000000.00000003.2040329780.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: check.exe, 00000000.00000003.2065052796.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2534374966.00007FF8A7717000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: check.exe, 00000000.00000003.2008470947.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2546800017.00007FF8BA4F3000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: check.exe, 00000002.00000002.2534926418.00007FF8A7E7A000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: check.exe, 00000002.00000002.2535304851.00007FF8A7FC5000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: check.exe, 00000002.00000002.2535757695.00007FF8A8526000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdb source: check.exe, 00000000.00000003.2038361802.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qgif.pdb source: check.exe, 00000000.00000003.2037736775.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb(('GCTL source: check.exe, 00000000.00000003.2053587506.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtga.pdb source: check.exe, 00000000.00000003.2038259241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: check.exe, 00000000.00000003.2051674191.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2546685885.00007FF8B9F74000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: check.exe, 00000002.00000002.2534926418.00007FF8A7E7A000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qicns.pdb source: check.exe, 00000000.00000003.2037814241.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: check.exe, 00000000.00000003.2064914982.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2546231723.00007FF8B8CB3000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: check.exe, 00000000.00000003.2053035794.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2545983280.00007FF8B8B3B000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtwebglplugin\plugins\platforms\qwebgl.pdb11 source: qwebgl.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: check.exe, 00000000.00000003.2053154074.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2545736389.00007FF8B8833000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: check.exe, 00000000.00000003.2053587506.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: check.exe, 00000002.00000002.2532774598.00007FF8A6F6A000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: check.exe, 00000002.00000002.2528894077.00007FF8A6284000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwbmp.pdb source: check.exe, 00000000.00000003.2038525101.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: check.exe, 00000000.00000003.2058308533.000001BA76C94000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000002.00000002.2523750968.0000017124DE0000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\libEGL.pdb source: check.exe, 00000000.00000003.2022727094.000001BA76C93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: check.exe, 00000002.00000002.2535304851.00007FF8A7FC5000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: check.exe, 00000002.00000002.2545375262.00007FF8B7E2E000.00000002.00000001.01000000.00000013.sdmp

Source: C:\Users\user\Desktop\check.exe	Code function: String function: 00007FF7D43B2910 appears 31 times
Source: C:\Users\user\Desktop\check.exe	Code function: String function: 00007FF7D43B2710 appears 88 times

Source: C:\Users\user\Desktop\check.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:616:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2428

Source: C:\Users\user\Desktop\check.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: msvcp140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\check.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior

Source: check.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: check.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: check.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: check.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: check.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: check.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: check.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: check.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: check.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: check.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: check.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\sip.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5QmlModels.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\opengl32sw.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5WebSockets.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\python313.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Quick.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5DBus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Qml.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Svg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\MSVCP140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Widgets.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Gui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\MSVCP140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI1802\_queue.pyd	Jump to dropped file

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report check.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_check.exe_f58d6737a278c17bbf3304669ee8828e0d15e7d_9c0b4d08_57770ad5-1995-4a7d-b8a3-fe7692bfa17c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F04.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER503E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER505E.tmp.xml

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\MSVCP140.dll

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\MSVCP140_1.dll

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Core.dll

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5DBus.dll

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Gui.dll

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Network.dll

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Qml.dll

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5QmlModels.dll

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Quick.dll

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Svg.dll

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5WebSockets.dll

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\Qt5Widgets.dll

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\VCRUNTIME140_1.dll

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\d3dcompiler_47.dll

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\libEGL.dll

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\libGLESv2.dll

C:\Users\user\AppData\Local\Temp\_MEI1802\PyQt5\Qt5\bin\opengl32sw.dll

Windows Analysis Report
check.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre